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About This Guide 


This guide describes Novell® Nsure™ Audit. The guide is intended for network administrators and 
is divided into the following sections: 


+ Chapter 1, “Overview,” on page 13 

¢ Chapter 2, “System Architecture,” on page 15 

+ Chapter 3, “Installation,” on page 33 

+ Chapter 4, “Configuration Tools,” on page 47 

+ Chapter 5, “Configuring the Logging System,” on page 57 

+ Chapter 6, “Logging eDirectory, NetWare, and File System Events,” on page 73 
+ Chapter 7, “Managing Applications that Log to Nsure Audit,” on page 77 
+ Chapter 8, “Configuring System Channels,” on page 81 

+ Chapter 9, “Configuring Filters and Event Notifications,” on page 101 

+ Chapter 10, “Generating Queries and Reports,” on page 107 

+ Chapter 11, “Security and Non-Repudiation,” on page 141 

¢ Chapter 12, “Troubleshooting NSure Audit,” on page 149 

+ Appendix A, “Log Events,” on page 157 

+ Appendix B, “Using MySQL with Nsure Audit,” on page 167 

+ Appendix C, “Commands and Utilities,” on page 175 

+ Appendix D, “File Descriptions and Locations,” on page 185 

e “Glossary” on page 191 


Documentation Updates 


For the most recent version of the Novell Nsure Audit 1.0.1 Administration Guide, see the Novell 
Documentation Web site, (http://www.novell.com/documentation/lg/nsureaudit/index.html). 


Documentation Conventions 


In this documentation, a greater-than symbol (>) is used to separate actions within a step and items 
within a cross-reference path. 


A trademark symbol e, TM, etc.) denotes a Novell trademark. An asterisk (*) denotes a third-party 
trademark. 


When a single pathname can be written with a backslash for some platforms or a forward slash for 
other platforms, the pathname is presented with a backslash. Users of platforms that require a 
forward slash, such as UNIX*, should use forward slashes as required by your software. 


About This Guide 11 
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Overview 


This section provides an overview of the Novell® Nsure™ Audit Report auditing system and 
reviews auditing fundamentals. 


“Product Overview” on page 13 


+ “Auditing Background and Fundamentals” on page 13 


Product Overview 


Novell Nsure Audit is a centralized, cross-platform auditing service. It collects event data from 
multiple applications across multiple platforms and writes the data to a single, non-repudiable data 
store. Nsure Audit is also capable of creating filtered data stores. Based on criteria you define, 
Nsure Audit captures specific types of events and writes those events to secondary data stores. 


After you have collected the data, the next challenge is making sense of it. Using the query and 
report generating tools included with Nsure Audit Report, you can evaluate the information in your 
data stores to determine resource access, usage patterns, and overall compliance with 
organizational policies and regulations. 


Although queries and reports are invaluable in reviewing system activity, sometimes you need to 
know what is happening on your system as it happens. Therefore, Nsure Audit provides real-time 
notifications and real-time monitoring so you can assess and act on events as they occur. 


To some extent, Nsure Audit can even automate the process of responding to events in real time. 
The Critical Value Reset (CVR) channel allows you to flag Directory attributes with reset policies. 
If the value of a given attribute is changed, the CVR channel resets the value as per the policy 
defined in the CVR Channel object. For example, if your organization has a policy prohibiting 
security equivalence, you can create a CVR Channel object that automatically resets the Security 
Equals attribute to a null value if it is ever reset by an administrator. 


We understand that security standards are becoming increasingly rigorous. In order to manage 
liability and protect assets, organizations need to be able to provide a record of all their electronic 
proceedings and to identify when business policies are being violated. With real-time monitoring, 
notifications, and historical reporting capabilities, Novell Nsure Audit can give you the facts you 
need to make informed decisions and ensure the safety of your most valuable corporate asset—its 
information. 


Auditing Background and Fundamentals 


Novell Nsure Audit provides the tools you need to audit your organization’s compliance with 
internal and external policies and regulations; however, the use of secure logging technology such 
as Novell Nsure Audit does not, in itself, provide a complete auditing solution. Auditing is actually 
a human-driven process and Novell Nsure Audit is simply a tool to facilitate that process. 
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Therefore, a complete auditing strategy requires that you 


1. Define your organization’s security and usage policies. That is, determine what resources 
your users are allowed to access, what rights they have to those resources, and so forth. 


2. Log the events relevant to those policies. 


3. Configure Notification Filters to notify you in real time when a policy violation occurs. You 
can also use Notification Filters to route the events to the Critical Value Reset (CVR) channel 
to trigger an automated response to the violation. 


4. Perform regular compliance audits. This entails querying the data store for events relevant to 
your policies and then manually reviewing those events to determine if there are any 
violations of your corporate policies, when the violations occurred, and who was responsible. 


After you have implemented your auditing strategy, Novell Nsure Audit provides the information 
you need to assess overall compliance with organizational policies and to respond to policy 
violations in a timely manner. 


For example, in a secure environment, you might have a policy that prohibits assigning user rights 
using the Security Equals attribute because it makes it difficult to track and manage user rights. To 
audit this policy, you first configure Novell Nsure Audit to log the Change Security Equals event. 


To facilitate a timely response to policy violations, you configure a Notification Filter to send a 
message to your mailbox any time the Change Security Equals event occurs. You also have the 
Notification Filter route the event to the CVR channel, which is configured to automatically reset 
the Security Equals attribute on User objects to a null value. 


You can monitor your organization’s compliance with this policy by using iManager or Nsure 
Audit Report to query the data store for Change Security Equals events. You then review the query 
results to determine when violations occurred and who was responsible. 
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System Architecture 


Asa system administrator, you need a clear understanding of Novell® Nsure™ Audit architecture 
and functionality so you can better design, configure, and maintain your auditing system. This 
section provides a basic explanation of the components that make up Novell Nsure Audit. 


+ “Nsure Audit System Components” on page 15 
+ “Platform Agent” on page 16 
+ “Secure Logging Server” on page 20 
+ “Data Store” on page 25 
+ “Reporting Applications” on page 26 
+ “Configuration Objects” on page 26 
+ “Logging Services Container” on page 27 
+ “Logging Server Object” on page 28 
+ “Nsure Audit Attributes on the NCP Server Object” on page 28 
+ “Application Objects” on page 28 
+ “Channel Objects” on page 29 
+ “Notification Objects” on page 30 


Nsure Audit System Components 


Novell Nsure Audit has a highly modular architecture. Product functions are strategically divided 
among several different components to protect data integrity, optimize system performance, and 
provide maximum flexibility. Depending on usage and system resources, these components can be 
located on a single server or distributed across multiple servers. 


The full auditing system consists of the following components: 
¢ Platform Agent 
+ Secure Logging Server 
+ Data Store 
+ Reporting Applications 


The Platform A gent, Secure Logging Server, and data store are the central components in this 
structure. To log events from system applications to the data store, Novell Nsure Audit uses a 
client/server model. The Platform Agent, as the client piece, receives all log data from the system 
applications. It securely transmits this data to the Secure Logging Server, which then writes the 
information to the data store. 
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Separating the Platform Agent from the actual logging function provides the following 
advantages: 


+ You can run Platform Agents on multiple servers throughout the network while still 
maintaining a single data store. 


+ Applications are not slowed down trying to commit an event to disk. Applications simply 
relay their log events to the Platform Agent, which then transmits the information the Logging 
Service. The Secure Logging Server assumes the full load of writing events to disk. 


+ You can off-load the system’s logging overhead by running the Secure Logging Server on a 
dedicated server. 


The remaining Nsure Audit component includes two reporting applications: ¡Manager and Nsure 
Audit Report. These supplementary tools allow you, as the administrator, to tap vital data from the 
system. 


The following sections provide a discussion of each component in the Nsure Audit architecture. 
+ “Platform Agent” on page 16 
+ “Secure Logging Server” on page 20 
+ “Data Store” on page 25 
¢ “Reporting Applications” on page 26 


Platform Agent 


The Platform A gent (logevent) is the client portion of the Nsure auditing system. The Platform 
Agent receives logging information and system requests from authenticated applications and 
transmits the information to the Secure Logging Server. 


For more information on program binaries, see “Program Files” on page 185. For more 
information on how applications authenticate with Nsure Audit, see “Authenticating Logging 
Applications” on page 141. 


Ifthe connection between the Platform Agent and the Secure Logging Server fails, applications 
continue to log events to the local Platform Agent, just as they always do. The Platform A gent 
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simply switches into Disconnected Cache Mode and the Cache Module writes all logged events to 
the local cache until the connection is restored. The switch into Disconnected Cache Mode is 
completely transparent to the logging applications. For more information, see “Disconnected 
Mode Cache” on page 57. 
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Supported Applications 
Currently, the Platform A gent can receive log events from the following: 
+ Novell eDirectory™ 6.0 and higher 
+ DirXML® 2.0 
+ NetMail™ 3.5 and higher 
+ iChain® 2.2 SP1 
+ BorderManager? 3.8 
+ NetWare® NSS File System 
+ NetWare Traditional File System 


NOTE: Before an application can log events to Novell Nsure Audit, it must be able to authenticate with the 
system and report events in the auditing system's required format. For more information on the authentication 
process, see “Authenticating Logging Applications” on page 141. For more information on event structure, see 
“Event Structure” on page 157. 
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Supported Platforms 


The Nsure Audit architecture requires that the Platform Agent be locally installed on every server 
or workstation running applications that log events to Nsure Audit. 


This design ensures secure, uninterrupted logging because the logging applications are insulated 
from external communication failures. 


Currently, the Platform Agent can be installed on servers or workstations running the following 
operating systems: 


+ NetWare 4.2 and higher 
+ Windows* NT*, Windows* 2000, Windows XP 
+ Solaris* 8 and 9 


+ Red Hat* Linux* 7.3 and 8 
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Platform Agent Configuration 


The Platform Agent is not configured through eDirectory. Instead, the Platform Agent's 
configuration settings are stored in a simple, text-based configuration file (logevent). This makes 
the Platform Agent small, unobtrusive, and self-contained—that is, it has no external dependencies 
so it is always available to receive logged events. Storing the Platform Agent’s configuration in a 
text-based file also allows the Platform Agent to eventually run on platforms that do not have 
eDirectory support. 


The logevent file stores the host name or IP address of the logging server, the Disconnected Mode 
Cache directory, port assignments, and other related information. For more information on 
Platform Agent configuration settings, including a sample logevent file, see “Logevent” on 

page 58. 
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Secure Logging Server 


The Secure Logging Server (lengine) is the server component in the Nsure auditing system.The 
Secure Logging Server manages the flow of information to and from the Nsure auditing system— 
that is, it receives incoming events and requests from the Platform Agents, logs information to the 
data store, monitors designated events, and provides filtering and notification services. It can also 
be configured to automatically reset critical system attributes according to a specified policy. For 
more information on program binaries, see “Program Files” on page 185. 


The Secure Logging Server is configured through eDirectory. The Logging Server object contains 
all the configuration settings for the Secure Logging Server. Consequently, the logging server 
must have access to eDirectory and the Logging Server object before it can launch the Secure 
Logging Server. For more information, see “Configuring the Secure Logging Server” on page 60. 


NOTE: To minimize server reaction time and ensure high system performance, you should create a local 
replica of the Logging Server object and its associated objects on the logging server. 
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The Secure Logging Server can be installed to the following platforms: 
+ NetWare 5.1 SP6 and higher 

+ The Java* driver requires JVM* 1.3.1 

+ NetWare 6.0 SP3 and higher 

+ The Java driver requires JVM 1.3.1 

+ NetWare 6.5 

+ Windows 2000 SP3 

¢ Solaris 8 and 9 


+ Red Hat Linux 7.3, 8.0, and 9.0 


The Secure Logging Server provides the following services: 
+ Event Management 
+ Logging and Notification Channels 
+ Logging Service 
+ Notification Service 


A description of each service follows. 
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Event Management 


The Event Manager receives all incoming data from the Platform Agents and directs the 
information to the appropriate service. It also routes outgoing information from the logging server 
to the appropriate Platform Agent. 


This mode of operation is very efficient. Indeed, the Event Manager service is designed to 
maximize system efficiency and performance. Depending on the Secure Logging Servers cache 
settings, the Event Manager can handle more than 60,000 events per second. For information on 
configuring the Secure Logging Server’s cache, see “Logging Server Objects” on page 61. 
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Logging and Notification Channels 


The Secure Logging Server uses channels to log events and provide event notification. For 
example, to e-mail events, the logging server uses the SMTP channel; to log events to an Oracle* 
database, the logging server uses the Oracle channel; and so forth. 


Nsure Audit currently supports the following channels: 


SMTP Oracle (Only available on NetWare using the Java 
JDBC channel driver.) 

SNMP File 

Java Syslog 

MySQL CVR (Critical Value Reset) 


Third-party channels can be easily incorporated into this structure. For more information, see the 
Novell Nsure Audit SDK (http://developer.novell.com/ndk/naudit.htm). 
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Logging Service 


Channels are configured in eDirectory using Channel objects. Each Channel object stores the 
information the logging server needs to use its associated channel. For further information, see 
“Channel Objects” on page 29. 
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The Logging Service is the only Nsure Audit component that can write to the data store. This 
design protects log data from unauthorized record modification, insertion, or deletion. 


To ensure that the auditing system maintains accurate records, the Event Manager delivers all 
incoming data directly to the Logging Service. All events and requests must be recorded in the data 
store before the Event Manager sends them to the Monitoring or Notification services. 


Write times vary per storage option. On a P4 Xeon class server, the Logging Service can write 
approximately 60,000 events per second to a flat file in a file system or 3,000 events per second to 
a MySQL* database. 
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Using the logging server’s channels, the Logging Service can write events to the following storage 
devices: 


¢ Flat file in the file system 
+ MySQL database 

+ Oracle database 

+ Syslog database 


NOTE: Although you can actually use any channel to log events, we recommend that you only log to the 
Syslog, MySQL, Oracle, or File channels. 


For more information on configuring these channels, see Chapter 8, “Configuring System 
Channels,” on page 81. 


The Notification Service provides two kinds of notification: filtered and heartbeat. Filtered 
notification tells you when a specific event has occured; heartbeat notification tells you when an 
event has not occured. 


In both cases, the Notification Service identifies the event and routes it to specific channels. For 
example, the Notification Service can send a notification event to a system administrator’s 
mailbox or cell phone using the SMTP channel, route the event to the network management system 
as an SNMP trap, or write the event to a flat file in the file system or to a Syslog, MySQL or Oracle 
database. 
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Both filtered and heartbeat notifications are configured in eDirectory using Notification Filter and 
Heartbeat objects. These objects define event criteria and designate which Channel objects are 
used to provide event notification. For more information, see “Notification Objects” on page 30. 
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Using its available channel drivers, Nsure Audit can log events to the following storage devices: 


Data Store 


¢ Flat file in the file system 
+ MySQL database 
+ Oracle database 


+ Syslog database 


Nsure Audit protects log data from record modification, insertion, or deletion by allowing only one 
program component, the Logging Service, to write events to the data store. Nsure Audit also limits 
read access to log data by controlling which applications can request log information through the 
auditing system. However, the security of the data store itself is up to you and the security 
mechanisms provided by the database. Although Nsure Audit maintains an internal security 
perimeter around the data store, it is possible for individuals or applications to directly access the 
data store outside the boundaries of the auditing system. Therefore, file system rights, directory 
rights, and the database’s internal security features must be carefully configured to secure your log 
data. 


For further information, see “Configuring the Data Store” on page 69. 
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Reporting Applications 
Nsure Audit provides two tools that can be used to generate reports from MySQL and Oracle data 
stores. 
NOTE: Any standardized syslog reporting tool can be used to generate reports from syslog data stores. 


+ Nsure Audit Report is a Windows-based, ODBC-compliant application that can generate 
reports from Oracle and MySQL data stores. It includes predefined reports and can be 
integrated with Crystal Reports* to provide full custom reporting capabilities. 


+ ¡Manager is a browser-based, JDBC*-compliant application that can generate reports from 
MySQL data stores. 


For more information on generating reports with these tools, see Chapter 10, “Generating Queries 
and Reports,” on page 107. Any standardized syslog reporting tool can be used to generate reports 
from syslog data stores. 
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When you install the Secure Logging Server, the installation program extends the eDirectory 
schema to include the following objects: 


Event Manager 
Notification 


Configuration Objects 


+ Logging Services Container (page 27) 

+ Logging Server Object (page 28) 

+ Nsure Audit Attributes on the NCP Server Object (page 28) 
+ Application Objects (page 28) 
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+ Channel Objects (page 29) 
+ Notification Objects (page 30) 


Nsure Audit uses these objects to store and look up system configuration parameters. 
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IMPORTANT: The Platform Agent is not configured through eDirectory. Instead, the Platform Agent's 
configuration settings are stored in a simple, text-based configuration file (logevent). For more information, see 
“Logevent” on page 58. 


Logging Services Container 
EF 


During your initial installation, Nsure Audit extends the eDirectory schema and creates the 
Logging Services container at the root of your directory tree. Because it is part of Nsure Audit, 
there can only be one Logging Services container per tree and, as the logging system container, it 
only contains Nsure Audit component objects. 


Locating all logging system components in the Logging Services container is ideal for 
organizations that need a simple, easy-to-manage logging system. It also suits organizations that 
are implementing Nsure Audit as an auditing solution and, for security reasons, want to centrally 
manage their system. To facilitate distributed administration, however, Nsure Audit components 
can also be created and managed outside the Logging Services container. 


Ifthe Logging Services container is deleted, it can only be re-created by re-running AuditExt. For 
more information, see “AuditExt” on page 179. 
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In eDirectory, the Logging Server object represents the physical server where you installed the 
Secure Logging Server. However, because the Logging Server object is specific to Nsure Audit, it 
does not replace the NCP Server object. Instead, each Logging Server object is associated with an 
NCP Server object. 


The Logging Server object is represented as a container with server attributes; it can contain Nsure 
Audit objects and it stores all the properties and attributes for the Secure Logging Server. For 
information on creating and configuring the Logging Server object, see “Configuring the Secure 
Logging Server” on page 60. 


Nsure Audit Attributes on the NCP Server Object 


During installation, Nsure Audit extends the definition of the NCP Server object to include the log 
settings for eDirectory, NetWare, traditional file system, and NSS events. These settings are found 
under the NCP Server object’s Nsure Audit tab. 


The Nsure Audit screen has separate menus for NetWare, Filesystem, and eDirectory events. Each 
menu lists the events that fall in its respective category. To configure the logging server to log a 
particular type of event, simply mark the event’s check box and click Apply. The logging server 
automatically begins logging the marked events. 


NOTE: You do not need to restart the logging server to effect changes to NSure Audit attributes in the NCP 
Server object. 


For more information on configuring the NCP Server object’s Nsure Audit attributes, see Chapter 
6, “Logging eDirectory, NetWare, and File System Events,” on page 73. 
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Application objects are associated with applications that log to or request information from Nsure 
Audit. These objects store the information required by the logging server to authenticate logging 
applications. They also identify which users have rights to monitor the applications’ events and 
they store the applications’ log schemas. 


NOTE: The log schema catalogs the events that can be logged for a given application. For more information, 
see “Log Schema Files” on page 163. 


Application objects are usually created automatically when either Nsure Audit or the logging 
application is installed. If necessary, they can also be manually added to the tree using iManager 
or WebAdmin. 


During installation, Novell Nsure Audit automatically creates Application objects for itself (the 
Naudit Instrumentation), the eDirectory Instrumentation, and the NetWare Instrumentation. The 
Naudit Instrumentation allows Nsure Audit to audit its own events such as creating Channel or 
Notification objects. The eDirectory Instrumentation manages logging of eDirectory events and 
the NetWare Instrumentation provides logging for NetWare and file system events. 


NOTE: The NetWare Instrumentation is only installed on NetWare versions. 
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Application objects can be created only within Application containers. Novell Nsure Audit creates 
the Application objects for the Naudit, eDirectory, and NetWare Instrumentations in the 
Application container under Logging Services. 


For more information on creating and configuring Application objects, see Chapter 7, “Managing 
Applications that Log to Nsure Audit,” on page 77. 


Application Containers 


Application containers provide a reference point through which the logging server can locate 
Application objects. At startup, the logging server scans its list of Application containers and loads 
the included Application object configurations in memory where it can quickly access the 
information when authenticating applications. For information on configuring the Application 
Container property on the logging server, see “Logging Server Objects” on page 61. 


IMPORTANT: The logging server scans its list of Application containers only at startup. Therefore, if you 
create or modify an Application object, you must restart the logging server. For information on restarting the 
logging server, see “Secure Logging Server Startup Commands” on page 176. 


The Application container under Logging Services is automatically created during installation; 
however, additional Application containers can be created anywhere in the tree. 


Channel Objects 


Channel objects store the information the logging server needs to use channel drivers. For 
example, a MySQL Channel object contains the IP address or host name of the MySQL database 
server; a username and password for connecting to the server, the name of the database and table, 
and any other relevant information. An SMTP Channel object, on the other hand, includes the 
address of the SMTP server; a username and password; and the recipient, sender, subject, and body 
of the log message. 


Nsure Audit is designed so you can create multiple Channel objects for any given channel. This 
means you can apply different channel configurations to different functions or events. For 
instance, you can configure the logging server to use one MySQL Channel object to add events to 
the central data store and configure a Notification Filter to use another MySQL Channel object to 
create a filtered log. 


The available types of Channel objects are: 


+ + 
E» SMTP L Oracle (Only available on NetWare using the 
JDBC Java channel.) 
i *. 
L SNMP File 
+ 
“L, Java L Syslog 
A + 
E MySQL Te cvr 


Additional Channel objects can be easily incorporated in this model. For more information, see the 
Nsure Audit SDK (http://developer.novell.com/ndk/naudit.htm). 
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Channel Containers 


Of particular note is the Critical Value Reset (CVR) Channel object. In configuring a CVR 
Channel object, you can flag an attribute in eDirectory with a reset policy. If the value of that 
specific attribute is changed, the CVR chamnel automatically resets the value as per the policy 
defined in the CVR Channel object. 


The logging server looks for Channel objects only in Channel containers; therefore, Channel 
objects can only be created within Channel containers. For information on creating and 
configuring Channel objects, see Chapter 8, “Configuring System Channels,” on page 81. 


Channel containers provide a reference point through which the logging server can locate Channel 
objects. At startup, the logging server scans its list of Channel containers and loads the included 
Channel object configurations and their drivers. The drivers and Channel object configurations are 
then available to provide event notification and to log events. Note that the logging server only 
loads those drivers that have Channel objects in supported Channel containers. For information on 
configuring the Channel Container property on the logging server, see “Logging Server Objects” 
on page 61. 

IMPORTANT: The logging server scans its list of Channel containers only at startup. Therefore, if you create 


or modify a Channel object, you must restart the logging server. For information on restarting the logging 
server, see “Secure Logging Server Startup Commands” on page 176. 


The Channel container under Logging Services is automatically created during installation; 
however, Channel containers can be created anywhere in the tree. 


Notification Objects 


Nsure Audit provides two kinds of event notification: 
¢ Filtered Notification 


+ Heartbeat Notification 


Filtered notification tells you when a specific event has occured; heartbeat notification tells you 
when an event has not occured. The following sections discuss the objects associated with each 
notification. 
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Notification Filter objects store the criteria the logging server uses to filter system events. They 
also designate which Channel objects the logging server uses to provide event notification. 


When you define a Notification Filter, you specify a value for a given event field. To narrow the 
results, you can define values for multiple event fields. Using standard “and,” “or,” and “not” 
operators, you can define up to 15 event conditions. For more information on the event fields, see 
“Event Structure” on page 157. 


After you define the filter criteria, you must select the object’s notification channel. Notification 
channels are simply the Channel objects the logging server uses to provide event notification. For 
example, if you want to e-mail filtered events to your mailbox, you must select an SMTP Channel 
object that is configured to relay events to your e-mail address. Similarly, if you want to log filtered 
events to a MySQL database, you must select a MySQL Channel object that is configured to write 
events to the correct database and table. You can define multiple notification channels for any 
given Notification Filter. 
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Heartbeat Objects 


The logging server looks for Notification Filter objects only in Notification containers; therefore, 
Notification Filter objects can be created only within Notification containers. For information on 
creating and configuring Notification Filter objects, see Chapter 9, “Configuring Filters and Event 
Notifications,” on page 101. 


AB 


Heartbeat objects define which Event IDs the logging server looks for and the interval at which 
those events must occur. If an event does not occur within the designated interval, the logging 
server generates a heartbeat event. 


The heartbeat event is automatically logged to the central data store; however, if you want to 
receive notification that a specific event has not occurred, you must create a Notification Filter for 
the corresponding heartbeat event. 


The logging server looks for Heartbeat objects only in Notification containers; therefore, 
Heartbeat objects can be created only within Notification containers. For information on creating 
and configuring Heartbeat objects, see Chapter 9, “Configuring Filters and Event Notifications,” 
on page 101. 


Notification Containers 
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Notification containers provide a reference point through which the logging server can locate 
Notification objects. At startup, the logging server scans its list of Notification containers and 
loads the included Notification object configurations in memory where it can quickly access the 
information to filter or monitor events. For information on configuring the Notification Container 
property on the logging server, see “Logging Server Objects” on page 61. 


IMPORTANT: The logging server scans its list of Notification containers only at startup. Therefore, if you 
create or modify a Notification object, you must restart the logging server. For information on restarting the 
logging server, see “Secure Logging Server Startup Commands” on page 176. 


The Notification container under Logging Services is automatically created during installation; 
however, Notification containers can be created anywhere in the tree. 
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Installation 


This section reviews the system requirements and installation procedures for each platform. 
+ “System Requirements” on page 33 
+ “Preparing to Install” on page 35 
+ “Installing Novell Nsure Audit with NetWare 6.5” on page 35 
+ “Installing Novell Nsure Audit on NetWare” on page 38 
+ “Installing Novell Nsure Audit on Windows” on page 40 


+ “Installing Novell Nsure Audit on Linux” on page 42 


+ “Installing Nsure Audit on Solaris” on page 43 


+ “Configuring the Platform Agent after Installation” on page 45 


For a listing of all the program files, see “Program Filenames and Directories” on page 188. 


System Requirements 


The following sections outline the system requirements for the Secure Logging Server, Platform 
Agent, and Novell eDirectory™ and NetWare® Instrumentations. 


Secure Logging Server 


The Secure Logging Server is the server component in the Nsure™ auditing system. It is installed 
on the server you want to manage the flow of information to and from the auditing system. 


The server where you install the Secure Logging Server must meet the following requirements: 


Requirement Description 

Operating System NetWare 5.1 SP6 and higher 
NetWare 6.0 SP3 
NetWare 6.5 
Windows 2000 SP3 
Solaris 8 and 9 
SUSE Advanced Server 8 
Red Hat Linux 7.3 and 8.0 
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Platform Agent 


Requirement Description 


eDirectory Novell eDirectory version 8.5 or higher 


On Windows, eDirectory is not required. Novell Nsure Audit can use the 


registry. 
Processor A single processor, server-class PC with a Pentium* II 400 Mhz 
Disk Space 4 MB 


The space you need for your data store depends on a number of factors 
which include, but are not limited to, how many events per second you are 
storing and how long you want to keep the data. For MySQL, a system that 
generates around 80 events per second with an average event size of 80 
bytes consumes approximately 500 MB of disk space for the database 
table and 150 MB for the index in a 24 hour period. 


RAM 15 MB over the OS 


The Platform Agent is the client portion of the Nsure auditing system. It is a shared library that is 
used by instrumented applications to log events to Novell Nsure Audit. It does not have any system 
requirements other than disk space for the Disconnected Mode Cache. (eDirectory is not required.) 


The Platform A gent must be installed on every server or workstation running applications that log 
events to Nsure Audit. 


The Platform A gent supports the following platforms: 
+ NetWare 4.2 and higher 
+ Windows NT, Windows 2000 SP3, Window XP SP1 
¢ Solaris 8 and 9 


+ Red Hat Linux 7.3 and 8 


eDirectory Instrumentation 


The eDirectory Instrumentation enables Nsure Audit to log eDirectory events. To log replicated 
eDirectory events (such as object creation and deletion), the eDirectory Instrumentation should be 
loaded on one server per DS Replica. To log non-replicated events (such as logins), it must be 
installed on each individual server for which you want to log non-replicated events. 


eDirectory Instrumentation also requires that the Platform Agent be installed on the same machine. 


IMPORTANT: If you load the eDirectory Instrumentation on more than one server per DS Replica, you will 
get duplicate entries for replicated events. 


The eDirectory Instrumentation supports the following versions of the Directory: 
+ NDS? 6.x 
+ NDS 7.x 
+ NDS 8.x 


+ 


eDirectory 8.6 (NetWare, Windows, Linux, and Solaris) 


+ 


eDirectory 8.7 (NetWare, Windows, Linux, and Solaris) 
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NetWare Instrumentation 


The NetWare Instrumentation allows Nsure Audit to log NetWare and file system events. It must 
be loaded on every server for which you want to log NetWare and file system events. It also 
requires that the Platform Agent be installed on the same machine. 


The NetWare Instrumentation supports the following versions of NetWare: 
+ NetWare 4.2 SP9 
+ NetWare 5.1 SP6 
+ NetWare 6.0 SP3 
+ NetWare 6.5 


Preparing to Install 


Before installing Novell Nsure Audit, you should run through the following checklist: 


+ Make sure the tree is synchronized and error free. For detailed information on eDirectory 
Health Check procedures, see “Keeping eDirectory Healthy” (http://www.novell.com/ 
documentation/lg/edir87/edir87/data/a5ziqam.html). 


+ Make sure you have Admin level rights to the root of the tree where you plan to install Novell 
Nsure Audit. You must provide the administrator username and password during installation 
so the installation program can extend the schema. 


Installing Novell Nsure Audit with NetWare 6.5 


Novell Nsure Audit provides auditing services for NetWare 6.5. It is included with NetWare 6.5 
and can be installed during the NetWare 6.5 install. 


IMPORTANT: The NetWare 6.5 product license authorizes you to use the Nsure Audit program’s SMTP, File, 
and MySQL channels. If you configure and enable the CVR, Java, Oracle, SNMP or Syslog channels, Novell 
Nsure Audit broadcasts licensing notices every 10 minutes to all your configured channels. (You do not receive 
notices for a unlicensed channel that is configured, but disabled.) The licensing notice indicates that you 
should acquire a license when you are done evaluating the additional channels. 


To install Novell Nsure Audit with NetWare 6.5: 
1 Start the NetWare 6.5 installation. 
2 Inthe Choose a Pattern window, select the Novell Nsure Audit Starter Pack. 
+ Select Pre-Configured Server > Novell Nsure Audit Starter Pack. 
or 
+ Select Customized NetWare Server and mark the following components: 
+ Apache 2 Web Server and Tomcat 4 Servlet Container 
+ MySQL (if you want to configure the MySQL data store during installation) 
+ Novell Nsure Audit Starter Pack 
+ ¡Manager 2.0 
3 In the Summary window, review the products to be installed, then click Copy Files. 


4 When the installation program displays the Component Selection window for the Novell 
Nsure Audit Starter Pack, select the program components you want to install. 
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Option 


NETA Novell Nsure Audit Starter Pack - Component Selection s 
Novell. NetWare. 6.5 
EEES e DER pease Novell 


PES 


Novell Nsure Audit Starter Pack Component Selection: 


[w] Install Secure Logging Server 


[Y] Autoconfigure MySQL 


[w] Install Platform Agent 


Secure Logging Server Address [localhost 


| Cancel || Help | | < Back || Next > 


The following table outlines the Component Selection options. 


Description 


Install Secure Logging Server Installs the Secure Logging Server (lengine.nlm), the Multiple Directory Database 


Autoconfigure MySQL 


(mdb.nlm), and the channel drivers (Igd*.nlm) to the current server.It also creates a 
Logging Server object in the Logging Services container. 


You need at least one Secure Logging Server in your network. 


Creates the MySQL Channel object in the Logging Services’ Channel container and 
configures the Secure Logging Server to log events to the MySQL database. 


If you select this option, you must install MySQL with the NetWare 6.5 install. (See 
Step 2.) 


WARNING: The MySQL Channel object is created with a default Expiration script that 
runs every night at midnight and automatically deletes every record older than 12 hours. 
This is done because the default events logged by the NetWare and eDirectory 
Instrumentations quickly fill the database. To remove this setting, simply delete the 
script from the SQL Expiration Commands property in the MySQL Channel object and 
restart the Secure Logging Server. For more information, see “MySQL Channel Object” 
on page 90. 
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Option 


Install Platform Agent 


Secure Logging Server Address 


Description 


Installs the Platform Agent (logevent.nim), the Caching Module (Icache.nlm), and the 
NetWare and eDirectory Instrumentations (auditNW.nlm and auditDS.nlm 
respectively). 


You must install the Platform Agent on every workstation or server that is running an 
application that logs events to Novell Nsure Audit. To enable NetWare and file system 
logging, the NetWare Instrumentation must be installed and loaded on every server on 
which you want to log NetWare and file system events. To log replicated eDirectory 
events (such as object creation and deletion), auditDS should be loaded on one server 
per DS Replica. To log non-replicated events (such as logins), it must be installed on 
each individual server for which you want to log non-replicated events. 


The IP address or host name of the Secure Logging Server that the Platform Agent 
connects to. 


5 Ifyou selected the Autoconfigure MySQL option, the installation program displays the 
Database Options window so you can define your MySQL data store. 


[sima Novell Nsure Audit Starter Pack - Database Options 
Novell, NetWare, 6.5 


Novell 


r Novell Nsure Audit Starter Pack Database Options: 


MySQL Database Host localhost 


Port 3306 


DB User Name auditusr 


ARRAARAR 


DB User Password 


ARRRARRN 


Confirm User Password 


Database Name naudit 


Table Name log 


| Cancel || | | < Back || Next > 


Help 


The following table outlines the database options. 


Option 


MySQL Database Host 


Description 


The IP Address or host name of the MySQL database server. 


If a host name is specified, only the first address associated with that name is used. 
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Option Description 


Port The port at which the Secure Logging Server connects to the database server. 


If this field is left blank, the Secure Logging Server uses the default MySQL port 
assignment, 3306. 


DB User Name The user account the Secure Logging Server uses to log in to the database. This 
account has all privileges to the default database and can log in from any IP address. 


The default username for the NetWare 6.5 data store is “auditusr.” 


IMPORTANT: On NetWare 6.5, MySQL installs in Secure Mode. In Secure Mode, the 
default MySQL administrative account, Root, only has rights to log in at the database 
server. Therefore, if you want the logging server to use the Root account to log in to the 
database, MySQL and the Secure Logging Server must be located on the same server 
and you must specify a loopback address (“127.0.0.1” or “localhost”) in the MySQL 
Database Host field. 


DB User Password The password the logging server uses to authenticate with the database. 


The default password for the NetWare 6.5 data store is “auditpwd.” 
Confirm User Password Confirms the user password. 


Database Name The name of the database to which the logging server writes events. 
The default database name is “naudit.” 


The MySQL driver, lgdmsql.nlm, automatically creates this database when the logging 
server first loads the MySQL Channel object’s configuration in memory. 


Table Name The database table to which the logging server writes events. 
The default table is “log.” 


The MySQL driver, Igdmsql.nim, automatically creates this table when the logging 
server first loads the MySQL Channel object's configuration in memory. 


For information on the default table structure, see “MySQL Data Store” on page 71. 


6 Follow the prompts to complete the rest of the NetWare 6.5 install. For more information, see 
the NetWare 6.5 Overview and Installation Guide (http://www.novell.com/documentation/lg/ 
nw65/install/data/hz8pck9v.html). 


Upon completing the installation, you must restart the server or manually launch the installed 
components. For the program startup commands, see Appendix C, “Commands and Utilities,” on 
page 175. 


Installing Novell Nsure Audit on NetWare 


1 Make sure the tree is synchronized and error free. For detailed information on eDirectory 
Health Check procedures, see “Keeping eDirectory Healthy” (http://www.novell.com/ 
documentation/lg/edir87/edir87/data/a5ziqam.html). 


2 Launch the installation. 


2a If you are installing the Platform Agent on a NetWare 4.2 server, enter load install 
at the server console. 
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2b If you are installing the Secure Logging Server or the Platform Agent on a NetWare 5.x 
or 6.x server, load nwconfig.nlm at the server console. 


3 Select Product Options > Install a Product Not Listed. 


4 Press F3 (F4 if you're using RCONSOLE) and specify the path to the directory where the 
installation program can find the base.ips file. 


+ Ifyou downloaded Novell Nsure Audit from the Web, enter the path to the directory you 
extracted from the downloaded file (for example, sys:\naudit\). 


+ Ifyou are installing from a CD, mount the CD as a NetWare volume (for example, 
naudit:). 


For information on mounting a CD as a volume, see CD-ROMs As Logical Volumes 
(http://www.novell.com/documentation/lg/nw6p/nss_enu/data/htxx7fd6.html) in the 
Novell Storage Services Administration Guide. 


5 Follow the on-screen prompts concerning license agreements and the Readme file. 
6 Select your install options. 


The following table outlines the Novell Nsure Audit installation options. 


Option Description 


Backup files from This option is for future upgrades. 
previous versions 


Directory Schema This option is for future upgrades. 

Update 

First-time Directory Extends the Directory schema for Novell Nsure Audit 1.0.1. 
Install 


Select this option for all first-time installations. 


IMPORTANT: Do not select this option if you have already installed 
Novell Nsure Audit to another server in your tree. 


Configure Server for Creates the Secure Logging Server object in Logging Services. It also 

Nsure Audit creates a File Channel object in the Logging Services Channel 
container and it configures the logging server to log events to the File 
channel. 


The default log channel for the Secure Logging Server is Translated 
File. For more information, see “File” on page 85. 


Select this option if the current server is your Secure Logging Server 
and you want to log to the File channel. If you do not select this option, 
you must manually create the Secure Logging Server and the Channel 
object for the central data store. 


You should not select this option if you want to create the Secure 
Logging Server object outside the Logging Services container or if you 
do not want to use the File channel. 
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Option Description 
Nsure Audit Files Installs the Novell Nsure Audit program files to the server. This 
includes the following components: 
+ Secure Logging Server (lengine.nlm) 
+ All Channel drivers (lgd*.nlm) 
+ Platform Agent (logevent.nim) 
+ NetWare Instrumentation (auditNW.nlm) 
+ eDirectory Instrumentation (auditDS.nlm) 


+ WebAdmin (webadmin.nlm) 


Select this option for all installations. 


7 Press F10 to continue. 


8 If you selected First-time Directory Install, specify the Directory administrator login name 
and password to update the schema. 


IMPORTANT: This account must have Admin level rights to the root of the tree. 


If the admin object is not in the same context as the current server, you must specify the 
object’s fully distinguished name (such as Admin.Accounts.Finance. YourCo). 


If the installation program does not accept your login credentials, specify the username in a 
different format. For example: 


+  user.organizational_unit.organization 

+  .user.organizational_unit.organization 

*  cn=user.ou=organizational_unit.o=organization 
+  .cn=user.ou=organizational_unit.o=organization 


9 If you selected Configure Server for Nsure Audit, specify a name for the Secure Logging 
Server object. 


10 Continue to follow the installation instructions on the screen until you have exited the Novell 
Nsure Audit installation program. 


Upon completing the installation, you must restart the server or manually launch the installed 
components. For the program startup commands, see Appendix C, “Commands and Utilities,” on 
page 175. 


Installing Novell Nsure Audit on Windows 
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1 Make sure the tree is synchronized and error free. For detailed information on eDirectory 
Health Check procedures, see “Keeping eDirectory Healthy” (http://www.novell.com/ 
documentation/lg/edir87/edir87/data/a5ziqam.html). 


2 At the Windows server, log in as Administrator or as a user with administrative privileges. 


3 Run naudit-win32 from the win321 directory on the Novell Nsure Audit CD or from the 
downloaded file. 


4 Follow the online instructions in the Novell Nsure Audit Installation Wizard to view and 
accept the license agreement. 
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5 Enter your customer information. 
6 Select who the application is installed for. 


If you select Anyone Who Uses This Computer, the installed components appear on the Start 
menu for all users. 


If you select Only for Me, the installed components appear on the Start menu for the current 
user only. 


7 Specify the destination folder, then click Next. 
The default directory is program files\novell\nsure audit\ . 
8 Select the type of installation you want to perform on the current server, then click Next. 


The following table outlines the Novell Nsure Audit installation options. 


Option Description 
Custom Allows you to individually select which program components to install. 
Full Installation Installs the following components: 


+ Secure Logging Server (lengine.exe) 

+ All Channel Drivers (Igd*.dll) 

+ Platform Agent (logevent.dll) 

+ eDirectory Instrumentation (auditDS.dlm) 
+ WebAdmin (webadmin.exe) 


+ Nsure Audit Report (Ireport.exe) 
Instrumentation Installs the Platform Agent and the eDirectory Instrumentation. 


Reporting Installs Nsure Audit Report. 


Application 
For more information, see “Using Nsure Audit Report” on page 117. 


Server Installs the Secure Logging Server, the channel drivers, and WebAdmin. It 
also creates the Secure Logging Server object in Logging Services and a File 
Channel object in the Logging Services Channel container. 


The Custom, Full Installation, and Server options create the Secure Logging Server object in 
Logging Services. They also create a File Channel object in the Logging Services Channel 
container and they configure the logging server to log events to the File channel. 


9 Confirm your current settings, then click Next. 


10 If you are installing the Secure Logging Server, specify the following information when 
prompted: 


+ The Directory administrator login name and password to update the schema. 
IMPORTANT: This account must have Admin level rights to the root of the tree. 
+ A name for the Secure Logging Server object. 
11 Click OK to confirm the installation. 


12 Click Finish to complete the Novell Nsure Audit installation. 
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When the installation is complete, the Secure Logging Server automatically launches; however, 
you must manually load the eDirectory Instrumentation. For information on loading AuditDS.dlm, 
see “Starting and Stopping the eDirectory Instrumentation on Windows” on page 179. 


Installing Novell Nsure Audit on Linux 


1 Make sure the tree is synchronized and error free. For detailed information on eDirectory 
Health Check procedures, see “Keeping eDirectory Healthy” (http://www.novell.com/ 
documentation/lg/edir87/edir87/data/a5ziqam.html). 


2 Log in as root on the host. 

3 Enter the following command from the setup directory: 
./pinstall.lin 
The pinstall.lin script performs the following actions: 
+ Verifies that eDirectory for Linux has been installed. 
+ Copies the Novell Nsure Audit files to the installation directory. 
+ Starts the auditext.sh script. 

4 When prompted, accept the license agreement. 

5 Extend the Directory schema for Novell Nsure Audit 1.0.1: 
5a Select Add Schema Extensions. 


Select this option for all first-time installations. 


IMPORTANT: Do not select this option if you have already installed Novell Nsure Audit to another 
server in your tree. 


5b Enter the Directory administrator login name and password to update the schema. 


This account must have Admin level rights to the root of the tree. If the admin object is 
not in the same context as the current server, you must enter the object’s fully 
distinguished name (i.e., .Admin.Accounts.Finance. YourCo). 


If the installation program does not accept your login credentials, specify the username 
in a different format. For example: 


+  user.organizational_unit.organization 
+  .user.organizational_unit.organization 
+  cn=user.ou=organizational_unit.o=organization 
*  .cn=user.ou=organizational_unit.o=organization 
6 Create the Secure Logging Server object in Logging Services: 
6a Select Configure This Server. 


This option also creates a File Channel object in the Logging Services Channel container 
and it configures the logging server to log events to the File channel. 


6b Enter a name for the Secure Logging Server object. 


7 Continue to follow the installation instructions on the screen until you have exited the Novell 
Nsure Audit installation program. 


The Novell Nsure Audit for Linux installation program installs the following components: 
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+ Secure Logging Server (lengine) 

+ All Channel drivers (lgd*.so) 

+ Platform Agent (logevent.so) 

¢ eDirectory Instrumentation (auditDS.so) 


+ WebAdmin (webadmin) 


When the installation is complete, the Secure Logging Server automatically launches; however, 
you must manually load the eDirectory Instrumentation. For information on loading AuditDS, see 
“Starting and Stopping the eDirectory Instrumentation on Linux and Solaris” on page 179. 


Installing Nsure Audit on Solaris 


1 Make sure the tree is synchronized and error free. For detailed information on eDirectory 
Health Check procedures, see “Keeping eDirectory Healthy” (http://www.novell.com/ 
documentation/lg/edir87/edir87/data/aSziqam.html). 


2 Log in as root on the host. 

3 Enter the following command from the setup directory: 
. /pinstall.sol 
The pinstall.lin script performs the following actions: 
+ Verifies that eDirectory for Solaris has been installed. 
+ Copies the Novell Nsure Audit files to the installation directory. 
+ Starts the auditext.sh script. 

4 When prompted, accept the license agreement. 

5 Extend the Directory schema for Novell Nsure Audit 1.0.1: 
5a Select Add Schema Extensions. 

Select this option for all first-time installations. 


IMPORTANT: Do not select this option if you have already installed Novell Nsure Audit to another 
server in your tree. 


5b Enter the Directory administrator’s login name and password to update the schema. 


This account must have Admin level rights to the root of the tree. If the admin object is 
not in the same context as the current server, you must enter the object’s fully 
distinguished name (such as Admin.Accounts.Finance. YourCo). 


If the installation program does not accept your login credentials, specify the username 
in a different format. For example: 


+  user.organizational_unit.organization 
+  .user.organizational_unit.organization 
+  cn=user.ou=organizational_unit.o=organization 
+  .cn=user.ou=organizational_unit.o=organization 
6 Create the Secure Logging Server object in Logging Services, 


6a Select Configure This Server. 
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This option also creates a File Channel object in the Logging Services Channel container 
and it configures the logging server to log events to the File channel. 


6b Enter a name for the Secure Logging Server object. 


7 Continue to follow the installation instructions until you have exited the Novell Nsure Audit 
installation program. 


The Novell Nsure Audit for Solaris installation program installs the following components: 
+ Secure Logging Server (lengine) 
+ All Channel drivers (lgd*.so) 
+ Platform Agent (logevent.so) 
¢ eDirectory Instrumentation (auditDS.so) 
+ WebAdmin (webadmin) 


When the installation is complete, the Secure Logging Server automatically launches; however, 
you must manually load the eDirectory Instrumentation. For information on loading AuditDS, see 
“Starting and Stopping the eDirectory Instrumentation on Linux and Solaris” on page 179. 


Activating Novell Nsure Audit 


This section contains instructions on activating Novell Nsure Audit on all supported platforms. 
+ “Activating Novell Nsure Audit on NetWare” on page 44 
+ “Activating Novell Nsure Audit on Windows” on page 44 
+ “Activating Novell Nsure Audit on Linux” on page 45 
+ “Activating Novell Nsure Audit on Solaris” on page 45 
If activation messages appear in Ireport after completing activation, perform the following: 
1 In Ireport, click File >Import, then select Application Schemata. 


2 Specify the IP address of your Nsure Audit logging server, then select a language. Activation 
messages no longer appear in Ireport. 


Activating Novell Nsure Audit on NetWare 


1 When you license Novell Nsure Audit, you receive a license file with an .nlf extension. Copy 
this license file to sys:\system\naudit.nlf (or to the folder containing lengine). 


2 Restart the logging server. For instructions, see “Starting and Stopping the Secure Logging 
Server on NetWare” on page 176. When the server restarts, activation messages no longer 
appear. 


Activating Novell Nsure Audit on Windows 


1 When you license Novell Nsure Audit, you receive a license file with an .nlf extension. Copy 
this license file to C:\windows\system32\naudit.nlf (or to the folder containing lengine). 


2 Restart the logging server. For instructions, see “Starting and Stopping the Secure Logging 
Server on Windows” on page 177. When the server restarts, activation messages no longer 
appear. 
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Activating Novell Nsure Audit on Linux 


1 When you license Novell Nsure Audit, you receive a license file with an .nlf extension. Copy 
this license file to /opt/novell/naudit/naudit.nlf (or to the folder containing lengine). 


2 Restart the logging server. For instructions, see “Starting and Stopping the Secure Logging 
Server on Linux” on page 177. When the server restarts, activation messages no longer 
appear. 


Activating Novell Nsure Audit on Solaris 


1 When you license Novell Nsure Audit, you receive a license file with an .nlf extension. Copy 
this license file to /opt/novell/naudit/naudit.nlf (or to the folder containing lengine). 


2 Restart the logging server. For instructions, see “Starting and Stopping the Secure Logging 
Server on Solaris” on page 177. When the server restarts, activation messages no longer 
appear. 


Configuring the Platform Agent after Installation 


The Novell Nsure Audit installation program configures the current server (localhost) as the 
Platform Agent’s log host (that is, the Secure Logging Server the Platform Agent connects to). 


Therefore, if the current server is not the Platform Agent’s log host, you must edit the agent’s 
configuration file, logevent, so the LogHost setting points to the IP address or host name of the 
Secure Logging Server. 


Logevent is a text-based file that can be opened and modified in any text editor. For more 
information, see “Logevent” on page 58. 
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¡Manager 


Configuration Tools 


Novell® Nsure™ Audit can be managed with one of the following configuration tools: 
+ “iManager” on page 47 
+ “WebAdmin” on page 52 


This section walks you through each administrative tool and shows you how to perform basic 
system functions. 


Novell ¡Manager is a Web-based application that is used to manage, maintain, and monitor Novell 
eDirectory™ through wired and wireless devices. With the Novell Nsure Audit plugin module, 
¡Manager can be used to manage Nsure Audit objects in eDirectory. 


IMPORTANT: The Nsure Audit module only works on ¡Manager 2.0 or later. 


¡Manager 2.0 is included with NetWare® 6.5 and must be installed to manage Novell Nsure Audit 
in NetWare 6.5. 


¡Manager Interface 


The ¡Manager 2.0 interface has two administrative views: the Roles and Tasks view and the Object 
view. Both views are task driven. 


The Roles and Tasks view provides a list of available roles and their associated tasks. The user 
does not need to browse the tree to find an object to administer; instead, the plug-in for that task 
presents the necessary tools and interface to perform the task. 


NOTE: You only have access to those tasks for which you have assigned rights. 
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User: admin.sim.SIMLS-TREE. 


@ Roles and Tasks Novell. ¡Manager www.novell.com 
= — Www novencom 

+ Print al Version 2.0.0 

El LDAP 

+ Licenses 


You are currently logged in as user admin.sim in the Novell eDirectory SIMLS-TREE tree 
[+] NetStorage with Unrestricted access, 


+] NetWare Product Usage 


+) NMAS 


+) Novell Certificate Access 
+] Novell Certificate Server 


= Nsure Audit 

Queries 

Query Configuration 
Server Configuration 


=] Partition and Replicas 
H Rights 


+ Schema 


+ Servers 


E SMS 


+ SNMP 


+ 


Storage 

+ UDDI Administration 

UDDI Inquiry 

y UDDI Publish & User Access 


Cantral +! 


f: A Start| | €l WebAdmin - Microsoft In... e Novell iManager - Mic... Y iman_objectivew - Paint | El Nsure Audit Report | 


E 


The Nsure Audit role includes the following tasks: 


Task Description 


Query Configuration The Query Configuration task allows you to define your available 
databases, import log schemas, and set general report settings such 
as query limits and default sort order. For more information, see “Using 
¡Manager to Generate Queries” on page 107. 


Queries The Queries task guides you through the process of defining and 
running queries. For more information, see “Using iManager to 
Generate Queries” on page 107. 


Server Configuration The Server Configuration task allows you to configure a specific 
logging server. You can also create Notification, Channel, and 
Application objects in the logging server’s supported containers. For 
more information, see “Configuring the Logging Server in iManager” on 
page 63. 


The Object view displays objects by context. To move up or down in the tree, click the navigation 
arrows. You can also navigate the tree by entering a specific context in the Context field. 


When you select an object, iManager displays the tasks that can be performed on that object. Select 
a task to open the corresponding menu. 
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BE lalele [Ea] 


(AX Browse \ Search | Novell. ¡Manager 


: o www.novell.com 
A ANAS Version 2.0 


Novell. 


| Name | 

| Type: |All Available Types ee | You are currently logged in as user admin.SIM in the Novell eDirectory SIMLS-TREE tree 
| Appl with Unrestricted access, 

| Objects: Multiple Select 


Y” simes-TREE. 
E Es sm 
5 A Security 


Copy Object 

Create Extended Object 
Create Object 

Delete Object 

Modify Inherited Rights Filter 
Modify Object 

Modify Trustees 

Object Extensions 
Rename Object 

Rights To Other Objects 
View Effective Rights 


<< Previous | NEXUS] [ 100 | 


IMPORTANT: Do not use the browser's Back and Forward buttons while using iManager. Because ¡Manager 
is a Web-based application, it is important to navigate through the interface using the buttons inside the 
application, not the buttons on the browser's toolbar. 


System Requirements 


¡Manager 2.0 requires the following: 


Requirement Description 

Operating System NetWare 6.5 

eDirectory eDirectory version 8.7 or higher 

Browser Internet Explorer 5.5 or later (recommended) or Netscape* 6.2 or later. 


Installing ¡Manager 


¡Manager 2.0 is included with NetWare 6.5 and can be installed as part of the Novell 6.5 
installation. For information on installing ¡Manager 2.0 with the NetWare 6.5 install, see the 
Novell ¡Manager Administration Guide. (http://www.novell.com/documentation/lg/imanager20/ 


treetitl. html). 
Opening ¡Manager 
1 Access ¡Manager from a Web browser, using the following URL: 
https://IP_or_DNS/nps/iManager.htm] 


where /P_or_DNS is the IP address or DNS name of your ¡Manager server. 


Configuration Tools 49 


The server IP address can also be a DNS name. 
For example: 
http://137.65.135.150/nps/iManager.html 


2 Log in using your username and password. 


In iManager, you have access only to those roles for which you have assigned rights. To have full 
access to all Novell iManager features, you must log in as a user with Admin level rights to the tree. 


Securing Your iManager Connection 


When you log in to iManager, your connection is automatically forwarded to a secure port. The 
default HTTPS port for iManager is 443. 


For more information on running iManager over an SSL connection, see Configuring and Using 
SSL for LDAP Connections in the ¡Manager Administration Guide. (http://www.novell.com/ 
documentation/lg/imanager151/imanager/data/adbcvpt.html) 


Managing Roles and Tasks 


Novell iManager includes a default set of roles and tasks. You can use the default set or customize 
them to your liking. 


Novell iManager also allows administrators to assign users a defined set of roles and tasks. What 
users see when they access Novell iManager is based on their role assignments in Novell 
eDirectory. iManager only displays the tasks assigned to the authenticated user. 


For further information on managing roles and tasks, see Setting Up Roles and Tasks in the 
¡Manager Administration Guide. (http://www.novell.com/documentation/lg/imanager20/ 
imanager20/data/am757mw.html) 


Performing Basic Administrative Functions in iManager 


This section reviews how to perform the following administrative functions: 
+ Creating Objects in ¡Manager 
+ Renaming Objects in ¡Manager 
+ Deleting Objects in ¡Manager 
+ Modifying Object Attributes in ¡Manager 


IMPORTANT: Do not use the browser's Back and Forward buttons while using iManager. Because ¡Manager 
is a Web-based application, it is important to navigate through the interface using the buttons inside the 
application, not the buttons on the browser’s toolbar. 


Creating Objects in ¡Manager 
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4 Click the View Objects [A button on the ¡Manager toolbar. 

2 In the Object view, select the container where you want to create the object. 

3 Select Create Object from the Task list. 

4 In the Create Object screen, select the type of object you would like to create then click OK. 
If the object does not appear in the Creation list: 


4a Click Add Object Class to Creation List. 
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4b Locate the object in the Class List. 
TIP: All Nsure Audit objects begin with NAudit. 
4c Click Next. 


The summary screen explains that the information for this object class is stored in an 
XML file on the iManager server. 


4d Click Finish to add the object to the Creation List. 
4e In the confirmation screen, click OK. 
The object now appears in the Creation List. 
5 Specify the object name. 
6 When finished, click OK. 


Renaming Objects in iManager 
1 Click the View Objects [A button on the iManager toolbar. 
2 In the Object view, select the object you want to rename. 
3 Select Rename Object from the Task list. 
4 Specify the new object name. 
IMPORTANT: Do not include the context with the new object name. 
5 Ifyou want, you can mark the rename options. 
5a The Save Old Name option saves the original name as an attribute on the object. 


5b The Create an Alias in Place of Renamed Object option renames the current object and 
creates an alias of that object using the original name. 


6 When finished, click OK. 


Deleting Objects in iManager 
4 Click the View Objects button [A on the iManager toolbar. 
2 In the Object view, select the object you want to delete. 
3 Select Delete Object from the Task list. 
4 Click OK to delete the object. 


Modifying Object Attributes in iManager 
1 Click the View Objects button [e on the iManager toolbar. 
2 In the Object view, select the object you want to modify. 
3 Select Modify Object from the Task list. 
The configuration window displays the object’s attributes. 
4 Modify the object’s attributes. 


IMPORTANT: If you modify attributes in multiple tabs, you must click Apply in each screen to save your 
changes. 


5 When finished, click OK. 
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WebAdmin 


WebAdmin is a highly flexible, browser-based administrative tool. Because it is browser-based, 
WebAdmin is platform independent. You can manage your system on virtually any operating 
system for which there is an Internet-standard browser. 


WebAdmin runs on most current browser versions including IE 5.x and higher, Netscape 6.x, 
Mozilla 1.3, and Opera 7.x. Basically, WebAdmin runs on any browser that provides good 
JavaScript* support. WebAdmin does not run on Netscape 4.x. 


Webadmin Interface 


WebAdmin provides a traditional, tree-oriented view. A full, graphical representation of the tree 
displays in the left frame while the Properties menus appear in the right frame. If you are using 
Internet Explorer 6.0, WebAdmin also gives you a right-click quick menu. 


Novell. 


User: admin.netmail =| @ Logging Services.[Root] 


Tree Tasks Configuration 


No Configuration Required 
Select an object 
y Go directly to an object: 


Y Enter E-Mail Address: 


y Select a mailing list 
y Select a mailing list user 


Create 
Y Mailing List 
= NDS List 
Y Mailing List User 


Common tasks 
Y Change a Users Mail Settings 


What would you like to do to Logging Services? 


HAS 


[E] Local intranet a 


IMPORTANT: Do not use the browser’s Back and Forward buttons while using WebAdmin. Because 
WebAdmin is a Web-based application, it is important to navigate through the interface using the buttons inside 
the application, not the buttons on the browser’s toolbar. 


Installing WebAdmin 


WebAdmin is automatically installed with Novell Nsure Audit, so no additional installation is 
required. 


During installation, the WebAdmin program file is installed to the following directories: 
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Operating System Directory 


NetWare sys:\system\webadmin.nlm 
The remaining files are in sys:system\webadmin\ . 
Windows \program files\novell\webadmin\webadmin.exe 
Solaris /opt/NOVLwadm/webadmin 
Linux /opt/novell(WebAdmin/webadmin 
Opening WebAdmin 


IMPORTANT: WebAdmin uses pop-up windows; consequently, WebAdmin cannot work if you are using an 
HTTP proxy to filter pop-up ads. 


1 Load the WebAdmin program file. 


+ 


+ 


+ 


+ 


On a NetWare server, enter Load webadmin at the console prompt. 
On a Windows server, the WebAdmin service loads automatically. 
On a Solaris server, enter /opt /NOVLwadm/webadmin. 


On a Linux server, enter /etc/init.d/novell-webadmin start. 


2 In your Web browser, enter the URL or host name of the server running WebAdmin, including 
the port number. For example: 


http://127.5.4.1:89 


https://127.5.4.1:449 


By default, WebAdmin uses port 89 for HTTP and port 449 for HTTPS connections; however, 
you can change the port assignments using the -p and -s switches. For more information, see 
“WebAdmin Startup Commands” on page 53. For information on WebAdmin and HTTPS, 
see “Securing Your WebAdmin Connection” on page 54. 


3 When prompted, enter your User object’s distinguished name (for example, 
admin.users) and password to bring up the WebAdmin console. 


WebAdmin Startup Commands 


The following switches can be used with the webadmin command: 


Switch 
-h or -? 
-d 


-p:port 


Description 
Lists the WebAdmin switches and their variables. 
Turns on debugging; this is primarily used by Novell Support. 


Changes WebAdmin’s HTTP port assignment. The default port assignment 
is 89. 


IMPORTANT: Do not attempt to protect access to WebAdmin by 
reassigning its port assignment. While changing the port assignment 
obscures the connection, it does not provide a high level of security. 
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Switch Description 


-s:SSL_port Configures WebAdmin to accept secure HTTP connections (HTTPS) at the 
designated port. 


For information on WebAdmin and HTTPS, see “Securing Your WebAdmin 
Connection” on page 54. 


Securing Your WebAdmin Connection 


WebAdmin includes its own built-in certificate to secure your WebAdmin connection. This 
certificate allows you to encrypt your connection to WebAdmin; however, it is not necessarily 
"secure" because the same certificate is distributed with every copy of WebAdmin. 


If you want to truly secure your connection to WebAdmin, you must obtain a server certificate 
from a Certificate Authority (CA). A CA is a trusted third party that issues digital certificates to 
other entities (organizations or individuals) to allow them to prove their identity. In most cases, the 
CA is an external company that offers digital certificate services. In some instances, however, 
organizations generate and maintain their own digital certificates using CA servers such as the 
Novell Certificate Server™. 


To select a CA, check your browser to determine which CAs it already supports. If you use one of 
these providers, you won’t need to install root certificates for your CA on all of your browsers. 


After you obtain your certificate, you must put the certificate and private key files (*.pem) in one 
of the following directories on the WebAdmin server: 


Operating System WebAdmin Certificate Directory 
NetWare sys:\system\webadmin\ 
Windows \program files\novell\webadmin\ 
Linux /opt/novell/WebAdmin/ 

Solaris /opt/NOVLwadm/ 


With your certificate and private key files in the correct directory, you can connect to WebAdmin 
over a secure connection. Simply enter the URL or host name of the server running WebAdmin 
and designate a connection at port 449. For example, 


https://127.5.4.1:449 


NOTE: By default, WebAdmin uses port 449 for HTTPS connections; however, this can be changed using the 
-s startup switch. For more information on WebAdmin startup switches, see “WebAdmin Startup Commands” 
on page 53. 


Performing Basic Administrative Functions in WebAdmin 
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This section reviews how to perform the following administrative functions: 
+ Creating Objects in WebAdmin 
+ Renaming Objects in WebAdmin 
+ Deleting Objects in WebAdmin 

Modifying Object Attributes in WebAdmin 


+ 
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IMPORTANT: Do not use the browser's Back and Forward buttons while using WebAdmin. Because 
WebAdmin is a Web-based application, it is important to navigate through the interface using the buttons inside 
the application, not the buttons on the browser's toolbar. 


Creating Objects in WebAdmin 
1 In the tree view, select the container where you want to create the object. 
2 Click the Create icon EA. 


In Internet Explorer 6.0, you can right-click the container where you want to create the object 
and select Create. 


3 In the Create menu, select the type of object you would like to create. 
4 Specify the object name and any other required information. 


5 When finished, click Save. 


Renaming Objects in WebAdmin 
1 In the tree view, select the object you want to rename. 
2 Click the Rename icon Il 
In Internet Explorer 6.0, you can right-click the object and select Rename. 
3 Specify the object’s new name. 
IMPORTANT: Do not include the context with the new object name. 
4 When finished, click Save. 


Deleting Objects in WebAdmin 
1 In the tree view, select the object you want to delete. 
2 Click the Delete icon Y. 
In Internet Explorer 6.0, you can right-click the object and select Delete. 


3 Click OK to delete the object. 


Modifying Object Attributes in WebAdmin 
1 Select the object in the left frame of the tree view. 
2 Modify the object’s attributes in the right frame of the tree view. 
3 When finished, click Save. 


IMPORTANT: If you modify attributes in multiple tabs, you must click Save in each screen to apply your 
changes. 
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Configuring the Logging System 


The base components in the Novell® Nsure™ auditing system are the Platform Agent, the Secure 
Logging Server, and the data store. This section provides the information you need to configure 
and manage these components. 


+ “Configuring the Platform Agent” on page 57 

+ “Disconnected Mode Cache” on page 57 

+ “Logevent” on page 58 
+ “Configuring the Secure Logging Server” on page 60 

+ “Creating the Logging Server Object” on page 60 

+ “Logging Server Objects” on page 61 

+ “Configuring the Logging Server in ¡Manager” on page 63 
+ “Configuring the Data Store” on page 69 


Configuring the Platform Agent 


The Platform A gent, logevent, is the client portion of the Nsure auditing system. It receives 
logging information and system requests from authenticated applications and transmits the 
information to the Secure Logging Server. 


For more information on program binaries, see “Program Files” on page 185. For information on 
how applications authenticate with Nsure Audit, see “Authenticating Logging Applications” on 
page 141. 


There are several advantages to having applications connect to the Platform A gent instead of the 
Secure Logging server: 


+ Itis easier for applications to plug into the Nsure Audit system because the complexity and 
overhead of communicating with the logging server is off-loaded to the Platform Agent. 


+ Centralizing the communication load makes the system more efficient. 


+ The Platform Agent and logging applications are on the same computer, giving you secure, 
uninterrupted logging. Ifthe connection between the Platform Agent and the Secure Logging 
Server fails, the Platform Agent simply switches into Disconnected Cache Mode. 


Disconnected Mode Cache 


Ifthe connection between the Platform Agent and the Secure Logging Server fails, applications 
continue to log events to the local Platform Agent, just as they always do. The Platform A gent 
simply switches into Disconnected Cache mode; that is, 1t begins sending events to the Logging 
Cache module. The Logging Cache module then writes the events to the Disconnected Mode 
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Logevent 


Setting 


LogHost 


Cache until the connection is restored. The switch into Disconnected Cache Mode is completely 
transparent to the logging applications. 


NOTE: The port at which the Platform Agent connects to the Logging Cache Module is configured in the 
logevent.cfg file. For more information on this parameter, see “Logevent” on page 58. 


The Logging Cache Module maintains a separate cache file for each authenticated application. The 
cache files include the authentication credentials as well as the log events for their respective 
applications. 


When the connection to the Secure Logging Server is restored, the Logging Cache Module 
transmits the cache files to the Secure Logging Server. To protect the integrity of the data store, 
the Secure Logging Server validates the authentication credentials in each cache file before 
logging its events. 


The Platform Agent is not configured through Novell eDirectory™. Instead, the Platform Agent’s 
configuration settings are stored in a simple, text-based configuration file. On NetWare® and 
Windows systems, the configuration file is logevent.cfg. On Linux and Solaris systems, the file is 
logevent.conf. 


Storing the Platform Agent’s configuration in a local text file makes the Platform Agent small, 
unobtrusive, and self-contained—that is, it has no external dependencies, so it is always available 
to receive logged events. Storing the Platform Agent’s configuration in a text based file also allows 
the Platform Agent to eventually run on platforms that do not have eDirectory support. 


The following is a sample logevent.cfg file. 


LogHost=127.0.0.1 
LogCacheDir=c: \logcache 
LogCachePort=288 
iogEnginePort=289 
LogCacheUnload=no 
LogReconnectInterval=600 
LogDebug=never 
LogSigned=always 


The entries in the logevent file are not case sensitive, entries can appear in any order, empty lines 
are legal, and any line that starts with a hash (#) is commented out. 


The following table provides an explanation of each setting in the logevent file. 


NOTE: Some settings might not be available in all versions of Novell Nsure Audit. 


Description 
The host name or IP address of the Secure Logging Server that the Platform Agent connects to. 
If a host name is specified, only the first address associated with that name is used. 


If the LogHost is set to Not Configured, the logging agent does not send events to the Secure 
Logging Server. 
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Setting 


LogCacheDir 


LogCachePort 


LogEnginePort 


LogCacheUnload 


LogReconnectinterval 


LogDebug 


LogSigned 


Description 


The path to the Disconnected Mode Cache files. 


The default log cache directories are as follows: 

+ sys:\etc\logcache\ (NetWare) 

¢ \program files\novell\nsure audit\cache\ (Windows) 
¢ /var/opt/novell/naudit/cache/ (Linux) 


+ /opt/NOVLnaudit/cache/ (Solaris) 


The Platform Agent automatically creates a cache file for each registered application on the current 
computer. 


NOTE: The filename for each application’s cache file is a hash value. 


The port at which the Platform Agent connects to the Logging Cache Module (Icache). The default 
port is 288. 


When the Platform Agent initializes, it opens a connection to the logging server and to the Logging 
Cache module. Opening both connections at startup enables the Platform Agent to instantly switch 
to Disconnected Cache Mode if the connection to the logging server becomes unavailable. 


Although this configuration requires two port assignments, it facilitates faster processing of incoming 
events because, if the connection to the logging server fails, the Platform Agent doesn't have to block 
logging applications while it establishes a connection to the Logging Cache module. 


The port at which the Platform Agent connects to the logging server. The default port is 289. 


The unload setting for the Logging Cache Module. Set the option to "no" if you want to prevent the 
Logging Cache Module (Icache) from being unloaded. 


IMPORTANT: lt is recommended that you do not unload Icache. Even if the local logging 
applications are no longer running, Icache must stay loaded so it can upload cached data to the 
Secure Logging Server. 


The reconnect interval in seconds. 


If the Platform Agent loses its connection to the logging server, this is the interval at which the 
Platform Agent tries to reconnect to the logging server. 


This setting determines how debug events are handled. Set the option to never to never log debug 
events; always to always log debug events; and server to use the default setting provided by the 
Secure Logging Server. 


In the current version of Novell Nsure Audit, the Secure Logging Server’s default LogDebug setting 
is always. 


This setting determines if logged events are digitally signed. Set the option to never to never sign 
events; always to always sign events; or server to use the default setting provided by the Secure 
Logging Server. 


In the current version of Novell Nsure Audit, the Secure Logging Server's default LogSigned setting 
is never. 


Digitally signing events creates a non-repudiable log because auditors can determine if an event has 
been tampered with, deleted, or if the order of events has been changed. For more information, see 
“Signing Events” on page 143. 


IMPORTANT: The Novell Nsure Audit Starter Pack that ships with NetWare 6.5 chains the first 100 
events to allow you to evaluate the product feature. If you wish to fully implement the event chaining 
feature, you must upgrade your product license. 
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Logevent.cfg is stored in the following directories: 


Operating System Path 

NetWare sys:\etc\logevent.cfg 

Windows windows_directory\logevent.cfg 
Linux\Solaris /etc/logevent.conf 


Configuring the Secure Logging Server 


The Secure Logging Server, the server component in the Nsure auditing system, is implemented 
in the shared library, lengine. For more information on program binaries, see “Program Files” on 
page 185. 


The Secure Logging Server manages the flow of information to and from the Nsure auditing 
system. It receives incoming events and requests from the Platform Agents, logs information to 
the data store, monitors designated events, and provides filtering and notification services. It can 
also be configured to automatically reset critical system attributes according to a specified policy. 


The Secure Logging Server is configured through eDirectory. The Logging Server object in 
eDirectory stores all the properties and attributes for the Secure Logging Server. Consequently, the 
server must have access to eDirectory and the Logging Server object before it can launch the 
Secure Logging Server. 


To minimize server reaction time and ensure high system performance, you should create a local 
replica of the Logging Server object and its associated objects on the logging server. 


Creating the Logging Server Object 
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On NetWare, Linux, and Solaris systems, the Logging Server object can be created automatically 
in the Logging Services container during installation or it can be created manually anywhere in the 
tree after installation. Which option you choose depends, to a degree, on your system design. 


NOTE: The Windows installation program automatically creates the Logging Server object in the Logging 
Services container. 


Locating the Logging Server object in the Logging Services container is ideal for organizations 
that need a simple, easy-to-manage logging system. It also suits organizations that are 
implementing Nsure Audit as an auditing solution and, for security reasons, want to centrally 
manage their systems. Using the Configure Logging Server option, these systems are immediately 
operational after install. 


Conversely, to facilitate distributed system administration, Logging Server objects can be created 
and managed outside the Logging Services container. In fact, in distributed environments, 
Logging Servers and their associated objects should be created in a context assigned to their 
administrator. To create Logging Server objects outside of the Logging Services container, you 
must manually create the objects using iManager or WebAdmin. 


For information on creating objects in your respective administrative tool, see Chapter 4, 
“Configuration Tools,” on page 47. 
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Logging Server Objects 


The Logging Server object represents the physical server where you have installed the Secure 
Logging Server. However, because the Logging Server object is specific to Nsure Audit, it does 
not replace the NCP Server object. Instead, each Logging Server object is associated with a host 
NCP Server object. 


The Logging Server object is represented as a container with server attributes: it can contain Nsure 
Audit objects and it stores all the properties and attributes for the Secure Logging Server. 


The following table provides an explanation of the Logging Server object’s attributes. 


Attribute 
Configuration 


Host Server 


Driver Directory 


Log Channel 


Secure Logging Certificate 
File 


Secure Logging Privatekey 
File 


Description 


The distinguished name of the NCP Server object associated with the current logging server. 


Click the Object Selector button to select the Host Server in the tree. 


The directory in which the channel drivers (Igd*) are located. 


The default channel driver directories are as follows: 
+ sys:\system\ (NetWare) 

¢ \program files\novell\nsure audit\ (Windows) 

¢ /opt/novell/naudit/ (Linux) 


+ /opt/NOVLnaudit/ (Solaris) 


The Channel object the logging server uses to create the central data store. 


Click the Object Selector button to select the Channel object in the tree. 


The path and filename for the Logging Server Certificate. 


This attribute enables the logging server to use a custom certificate created with the AudCGen 
utility. If this field is left blank, the logging server uses the default embedded certificate. 


IMPORTANT: Nsure Audit only recognizes certificates that are generated with the AudCGen 
utility. For information on generating custom certificates, see “Creating the Secure Logging 
Certificate” on page 144. 


NSure Audit uses certificates to authenticate client connections. The logging server only 
accepts connections from applications that have a valid Logging Application Certificate. 


For general information on how certificates are used in Nsure Audit, see Chapter 11, “Security 
and Non-Repudiation,” on page 141. 


The path and filename for the Secure Logging Certificate's private key file. 


If this field is left blank, the logging server assumes the private key is included with the 
certificate and uses the path and filename for the Secure Logging Certificate. 


Again, this is only required if you do not use the Nsure Audit program’s embedded certificates. 


IMPORTANT: Nsure Audit only recognizes certificates and private keys that are generated 
with the AudCGen utility. For more information, see “Creating the Secure Logging Certificate” 
on page 144. 
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Attribute 


Containers 


Application Containers 


Notification Containers 


Channel Containers 


Memory 


Minimum 


Normal 


Description 


IMPORTANT: The logging server scans these containers only at startup. Therefore, ifyou add 
a container, you must restart the logging server. For information on restarting the Secure 
Logging Server, see “Secure Logging Server Startup Commands” on page 176. 


The Application containers supported by the current Logging Server object. 


Application containers provide a reference point through which the logging server can locate 
Application objects. Application containers must be included in this list for the logging server to 
locate their associated Application objects. For more information on Application containers and 
objects, see “Application Objects” on page 28. 


The Application container in Logging Services is added to this list by default. 


The Notification containers supported by the current Logging Server object. 


Notification containers provide a reference point through which the logging server can locate 
Notification Filter and Heartbeat objects. Notification containers must be included in this list for 
the logging server to locate their associated Notification objects. For more information, see 
“Notification Objects” on page 30. 


The Notification container in Logging Services is added to this list by default. 


The Channel containers supported by the current Logging Server object. 


Channel containers provide a reference point through which the logging server can locate 
Channel objects. Channel containers must be included in this list for the logging server to locate 
their associated Channel objects. For more information on Channel containers and objects, see 
“Configuring System Channels” on page 81. 


The Channel container in Logging Services is added to this list by default. 


The memory configuration settings allow you to optimize your logging server's performance. 
You should adjust these settings based on logging traffic and the amount of memory available 
to your system. Reasonable values depend on your network. 


In organizations that require high-performance logging, these parameters should be set high 
enough to accommodate peak loads. 


For organizations that must minimize potential data loss, these settings should be very small. 
Although this might slow performance, it minimizes the amount of data that might be lost in the 
event of server failure. 


If incoming log events exceed the amount of memory you have allocated on your logging 
server, the Platform Agents temporarily write events to their Disconnected Mode Caches until 
the logging server clears its cache. This prevents any logged events from being lost. 


The amount of memory the server automatically allocates at boot time to handle logging 
processes. 


Because allocating additional memory on the fly can slow down code execution, this setting 
should represent the minimum amount of memory needed to handle your system's baseline 
level of logging traffic. Pre-allocating the minimum amount of memory required by your system 
reduces additional blocking delays when the system is under high load and facilitates faster 
processing of incoming events. 


The amount of memory the server can immediately allocate if logging traffic exceeds the 
Minimum memory setting. 
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Attribute Description 
Maximum The maximum amount of memory that can be allocated to logging processes. 


Setting a maximum prevents Nsure Audit from monopolizing the server's resources. Ideally, 
this should be set close to the Normal memory setting. 


Iflogging traffic exceeds the Normal memory setting, the server incrementally increases the 
logging cache 4 KB at a time. (4 KB is the amount of memory required to process a single 
event.) When the Maximum memory allocation is reached, the server begins dropping Platform 
Agent connections. If the logging server drops its connection, the Platform Agent simply logs 
events to its Disconnected Mode Cache, thereby ensuring no information is lost. When free 
cache is available, the logging server once again accepts Platform Agent connections. 


Status This option allows you to enable or disable the Secure Logging Server. By default, the logging 
server is enabled. 


If you mark the Disabled option, you must either restart the server or manually unload the 
Secure Logging Server for this setting to become effective. Thereafter, the server cannot 
launch the Secure Logging Server (lengine) until you mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands” on page 176. 


Configuring the Logging Server in iManager 


The Server Configuration task in iManager allows you to configure a specific Logging Server 
object in the tree. It also allows you to create Channel, Notification, and Application objects in the 
server’s supported containers. 


NOTE: Channel, Notification, and Application containers cannot be created from the Server Configuration 
task. Container objects can be created only from the Object view. For general information on creating objects 
from the Object view, see “Creating Objects in iManager” on page 50. 


To use the Server Configuration task in iManager: 
4 Click the Roles and Tasks button on the iManager toolbar. 


2 Inthe Roles and Tasks view, expand the Nsure Audit role and select the Server Configuration 
task. 


3 Specify the Logging Server object you want to modify, then click OK. 
3a Click the Object Selector button to locate the object in the directory tree. 


To move up or down in the tree, click the navigation arrows. You can also search the tree 
by entering the object name and context in the Search frame. 


iManager only links valid entries. 


3b Click the Object History button to see a list of Logging Server objects that have been 
selected during this iManager session. 


4 Modify the Logging Server object’s attributes. 


IMPORTANT: If you modify attributes in multiple tabs, you must click Apply in each screen to save your 
changes. 


5 When finished, click OK. 


The following table outlines the options available from the Server Configuration task: 
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Menu Option 
General 
Configuration 


Host Server 


Driver Directory 


Log Channel 


Secure Logging Certificate File 


Secure Logging Privatekey File 


Description 


The General screen provides three sub-menus: Configuration, Memory, and Status. 


The distinguished name of the NCP Server object associated with the current logging 
server. 


Click the Object Selector button to select the Host Server in the tree. 


The directory in which the channel drivers (Igd*) are located. 
The default channel driver directories are as follows: 

+ sys:\system\ (NetWare) 

+ \program files\novell\nsure audit (Windows) 

¢ /opt/novell/naudit/ (Linux) 


/opt/NOVLnaudit/ (Solaris) 


+ 


The Channel object the logging server uses to create the central data store. 


Click the Object Selector button to select the Channel object in the tree. 


The path and filename for the Logging Server Certificate. 


This attribute enables the logging server to use a custom certificate created with the 
AudCGen utility. If this field is left blank, the logging server uses the default embedded 
certificate. 


IMPORTANT: Nsure Audit only recognizes certificates that are generated with the 
AudCGen utility. For information on generating custom certificates, see “Creating the 
Secure Logging Certificate” on page 144. 


NSure Audit uses certificates to authenticate client connections. The logging server 
accepts connections only from applications that have a valid Logging Application 
Certificate. 


For general information on how certificates are used in Nsure Audit, see Chapter 11, 
“Security and Non-Repudiation,” on page 141. 


The path and filename for the Secure Logging Certificate's private key file. 


If this field is left blank, the logging server assumes the private key is included with the 
certificate and uses the path and filename for the Secure Logging Certificate. 


Again, this is only required if you do not use the Nsure Audit program's embedded 
certificates. 


IMPORTANT: Nsure Audit only recognizes certificates and private keys that are 
generated with the AudCGen utility. For more information, see “Creating the Secure 
Logging Certificate” on page 144. 
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Menu Option Description 


Memory The memory configuration settings allow you to optimize your logging server’s 
performance. You should adjust these settings based on logging traffic and the amount 
of memory available to your system. Reasonable values depend on your network. 


In organizations that require high-performance logging, these parameters should be set 
high enough to accommodate peak loads. 


For organizations that must minimize potential data loss, these settings should be very 
small. Although this can slow performance, it minimizes the amount of data that might be 
lost in the event of server failure. 


Ifincoming log events exceed the amount of memory you have allocated on your logging 
server, the Platform Agents temporarily write events to their Disconnected Mode Caches 
until the logging server clears its cache. This prevents any logged events from being lost. 


Minimum The amount of memory the server automatically allocates at boot time to handle logging 
processes. 


Because allocating additional memory on the fly can slow down code execution, this 
setting should represent the minimum amount of memory needed to handle your 
system's baseline level of logging traffic. Pre-allocating the minimum amount of memory 
required by your system reduces additional blocking delays when the system is under 
high load and facilitates faster processing of incoming events. 


Normal The amount of memory the server can immediately allocate if logging traffic exceeds the 
Minimum memory setting. 


Maximum The maximum amount of memory that can be allocated to logging processes. 


Setting a maximum prevents Nsure Audit from monopolizing the server’s resources. 
Ideally, this should be set close to the Normal memory setting. 


If logging traffic exceeds the Normal memory setting, the server incrementally increases 
the logging cache 4 KB at a time. (4 KB is the amount of memory required to process a 
single event.) When the Maximum memory allocation is reached, the server begins 
dropping Platform Agent connections. If the logging server drops its connection, the 
Platform Agent simply logs events to its Disconnected Mode Cache, thereby ensuring no 
information is lost. When free cache is available, the logging server once again accepts 
Platform Agent connections. 


Status This option allows you to enable or disable the Secure Logging Server. By default, the 
logging server is enabled. 


If you mark the Disabled option, you must either restart the server or manually unload the 
Secure Logging Server for the setting to become effective. Thereafter, the server cannot 
launch the Secure Logging Server (lengine) until you mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands’ on page 176. 


Channels The Channels screen allows you to add or remove the Channel containers supported by 
the current Logging Server object. It also allows you to view, create, modify, and delete 
Channel objects within supported Channel containers. 


IMPORTANT: The logging server scans Channel containers and objects only at startup. 
Therefore, if you add, remove, or modify a Channel container or object, you must restart 
the logging server for the change to take effect. For more information, see “Secure 
Logging Server Startup Commands’ on page 176. 


For more information on Channel objects, see Chapter 8, “Configuring System 
Channels,” on page 81. 
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Menu Option 


Add Container 


Remove Container 


New Channel 


Edit Channel 


Delete Channel 


Description 


Adds an existing Channel container to the logging server's list of supported containers. 
Adding a container means that the logging server scans that container for Channel 
objects at startup. 


The Channel container in Logging Services is added to this list by default. 


Channel containers cannot be created from the Server Configuration task. Container 
objects can only be created from the Object view. For general information on creating 
objects from the Object view, see “Creating Objects in iManager” on page 50. 


To add a Channel container to the logging server's list of supported Channel containers: 
1. Click Add Container. 


2. Select a Channel container from the tree. 


To move up or down in the tree, click the navigation arrows. You can also search the tree 
by entering the object name and context in the Search frame. 


Removes the selected Channel container from the logging server's list of supported 
containers. Removing a container means that the logging server no longer scans that 
container for Channel objects at startup. 


Removing a Channel container from the list does not delete the container or any of its 
associated objects. 


To remove a Channel container from the logging server's list of supported Channel 
containers: 


1. Mark the Channel container you want to remove. 


2. Click Remove Container. 


Creates a new Channel object in the selected container. 

1. Mark the Channel container in which you would like to create the Channel object. 
2. Click New Channel, then OK. 

3. Select the Channel object type. 

4. Specify the Channel object name. 

5. Click OK. 


The new Channel object now appears under the designated Channel container. 


Allows you to modify the selected Channel object's configuration. 


To define or modify a Channel object's attributes: 
1. Mark the Channel object you want to modify. 
2. Click Edit Channel. 


3. Modify the object's attributes. You must click Apply in each screen to save your 
changes. 


4. When finished, click OK. 


Deletes the selected Channel object. Deleting a Channel object completely removes the 
object from the system. 


1. Mark the Channel object you want to delete. 
2. Click Delete Channel. 
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Menu Option Description 


Notifications The Notifications screen allows you to add or remove the Notification containers 
supported by the current Logging Server object. It also allows you to view, create, modify, 
and delete Notification objects within supported Notification containers. 


IMPORTANT: The logging server scans only Notification containers and objects at 
startup. Therefore, if you add, remove, or modify a Notification container or object, you 
must restart the logging server for the change to take effect. For more information, see 
“Secure Logging Server Startup Commands” on page 176. 


For more information on Notification objects, see Chapter 9, “Configuring Filters and 
Event Notifications,” on page 101. 


Add Container Adds an existing Notification container to the logging server's list of supported 
containers. Adding a container means that the logging server scans that container for 
Notification objects at startup. 


The Notification container in Logging Services is added to this list by default. 


Notification containers cannot be created from the Server Configuration task. Container 
objects can only be created from the Object view. For general information on creating 
objects from the Object view, see “Creating Objects in iManager” on page 50. 


To add a Notification container to the logging server's list of supported Notification 
containers: 


1. Click Add Container. 


2. Select a Notification container from the tree. 


To move up or down in the tree, click the navigation arrows. You can also search the tree 
by entering the object name and context in the Search frame. 


Remove Container Removes the selected Notification container from the logging server's list of supported 
containers. Removing a container means that the logging server no longer scans that 
container for Notification objects at startup. 


Removing a Notification container from the list does not delete the container or any of its 
associated objects. 


To remove an Application container from the logging server's list of supported 
Application containers: 


1. Mark the Application container you want to remove. 


2. Click Remove Container. 


New Notification Creates a new Notification object in the selected container. 


1. Mark the Notification container in which you would like to create the Notification 
object. 


2. Click New Notification, then click OK. 

3. Specify the Notification object name. 

4. Select Notification or Heartbeat Notification. 
5. Click OK. 


The new Notification object now appears under the designated Notification container. 


For more information on Notification objects, see Chapter 9, “Configuring Filters and 
Event Notifications,” on page 101. 
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Menu Option 


Edit Notification 


Delete Notification 


Log Applications 


Add Container 


Description 
Allows you to modify the selected Notification object's configuration. 


To define or modify a Notification object's attributes: 
1. Mark the Notification object. 
2. Click Edit Notification. 


3. Modify the object's attributes. You must click Apply in each screen to save your 
changes. 


4. When finished, click OK. 


For detailed information on Notification object attributes, see “Notification Filters” on 
page 102 and “Heartbeat Objects” on page 104. 


Deletes the selected Notification object. Deleting a Notification object completely 
removes the object from the system. 

1. Mark the Notification object you want to delete. 

2. Click Delete Notification. 

The Log Applications screen allows you to add or remove the Application containers 


supported by the current Logging Server object. It also allows you to view, create, modify, 
and delete Application objects within supported Application containers. 


IMPORTANT: The logging server scans application containers and objects only at 
startup. Therefore, if you add, remove, or modify an Application container or object, you 
must restart the logging server for the change to take effect. For more information, see 
“Secure Logging Server Startup Commands” on page 176. 


For more information on Application objects, see Chapter 7, “Managing Applications that 
Log to Nsure Audit,” on page 77. 


Adds an existing Application container to the logging server's list of supported containers. 
Adding a container means that the logging server scans that container for Application 
objects at startup. 


The Application container in Logging Services is added to this list by default. 


Application containers cannot be created from the Server Configuration task. Container 
objects can only be created from the Object view. For general information on creating 
objects from the Object view, see “Creating Objects in ¡Manager” on page 50. 


To add an Application container to the logging server's list of supported Application 
containers: 


1. Click Add Container. 


2. Select an Application container from the tree. 


To move up or down in the tree, click the navigation arrows. You can also search the tree 
by entering the object name and context in the Search frame. 
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Menu Option Description 


Remove Container Removes the selected Application container from the logging server's list of supported 
containers. Removing a container means that the logging server no longer scans that 
container for Application objects at startup. 


Removing an Application container from the list does not delete the container or any of 
its associated objects. 


To remove an Application container from the logging server's list of supported 
Application containers: 


1. Mark the Application container you want to remove. 


2. Click Remove Container. 


New Log Application Creates a new Application object in the selected container. 


Application objects are automatically created when Nsure Audit-enabled applications are 
installed into your tree; however, if necessary, Application objects can also be manually 
added to the tree. 


1. Mark the Application container in which you would like to create the Application object. 
2. Click New Log Application, then click OK. 
3. Specify the Application object name and click OK. 


The new Application object now appears under the designated Application container. 


Edit Log Application Allows you to modify the selected Application object's configuration. 
To define or modify an Application object's attributes: 
1. Mark the Application object. 
2. Click Edit Log Application. 


3. Modify the object's attributes. You must click Apply in each screen to save your 
changes. 


4. When finished, click OK. 


For information on the Application object's attributes, see “Application Objects” on 
page 78. 


Delete Log Application Deletes the selected Application object. Deleting an Application object completely 
removes the object from the system. 


1. Mark the Application object you want to delete. 


2. Click Delete Log Application. 


Configuring the Data Store 


Nsure Audit is able to write the data store to the following storage devices: 
+ File Data Store 
+ MySQL Data Store 
+ Oracle Data Store 


+ Syslog Data Store 
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File Data Store 


Before selecting a storage device for your data store, you need to consider your system’s logging 
traffic. On the high end, the File driver can process over 60,000 events per second on a P4 Xeon 
class server. Databases, on the other hand, are, much slower. The MySQL driver can handle about 
3,000 events per second on a P4 Xeon class server. 


Novell Nsure Audit is designed to handle occasional peaks that exceed a given database’s 
limitations; however, if you expect to consistently exceed the database driver’s capacity, you must 
plan your setup accordingly, either by using multiple Secure Logging Servers or by using the file 
driver. 


IMPORTANT: In planning your system setup, you should perform your own throughput test in your 
environment and not rely solely on the numbers provided in this document. 


To configure the Nsure Audit data store, you must first create a Channel object. Each Channel 
object defines the parameters associated with its corresponding storage device. For example, 
MySQL Channel objects include the IP address or host name of the MySQL database server, a 
username and password for connecting with the server, the database and table names, and fields 
for SQL table create and expiration commands. For more information on creating and configuring 
Channel objects, see Chapter 8, “Configuring System Channels,” on page 81. 


After creating the Channel object, you must configure the logging server to log events to that 
channel. The Log Driver property in the Logging Server object determines which Channel object 
the server uses to create the data store. For more information on the Log Driver property, see 
“Logging Server Objects” on page 61. 


After the Channel and Logging Server objects are configured, you must restart the logging server 
to load the Channel object configuration and the channel driver. In most cases, the channel driver 
automatically creates the necessary file or database table for the data store. 


IMPORTANT: Novell Nsure Audit does not secure the data store. Therefore, you must manage data store 
security at the database, for MySQL and Oracle data stores, or through the file system, in the for file data 
stores. 


The data store structure for each storage device is discussed in the following sections. 


Depending on the File Channel object configuration, the File channel driver (Igdfile) can log 
events in raw format or it can translate the event data into a human-readable log. All file data stores 
are named “log.” 


Raw files simply contain the event data; consequently, they are not in a human-readable format. 
However, because they maintain a consistent field structure across events, they can be imported 
into spreadsheet programs like Microsoft Excel. 


The following is a sample from a raw log file: 


16777343,1051924636,1051924647, eDirInst\Object, 721699,7,0, .OntarioTestData.Channels.Logging 
Services,,0,0,0,LI1NhdHVybiBMb2dnaW5nIFN1cnZ1ci5Mb2dnaW5nIFN1cnZpY2Vz 
16777343,1051924636,1051924647, eDirInst\Object, 721690,7,0, .eDirectoryInstrumentation.Applicat 
ions.Logging Services,,0,0,0,LINhdHVybiBMb2dnaW5nIFNicnZ1lci5Mb2dnaw5nIFNicnZpY2vVz 
16777343,1051926065, 1051926065, eDirInst\Object, 720897,7,0, .BillBob.SIM,,0,0,1, LmFkbWluLINJTQ= 


Translated log files, on the other hand, can be visually scanned for content; however, it is difficult 
to generate reports from these files because there is no consistent field structure—they contain 
only the event descriptions. 


The following is a sample from a translated log file: 
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[Sat, 03 May 2003 01:25:10 +0000] eDirInst\Object: A read operation was performed on object 
.OntarioTestData.Channels.Logging Services by .Saturn Logging Server.Logging Services 

[Sat, 03 May 2003 01:25:10 +0000] eDirInst\Object: A list Subordinate Entires operation has 
been performed on container .eDirectory Instrumentation.Applications.Logging Services by 
-Saturn Logging Server.Logging Services 

[Sat, 03 May 2003 01:39:41 +0000] eDirInst\Object: A new eDirectory object called .BillBob.SIM 
(Class:User) was created by .admin.SIM 


In addition to providing different log formats, the File channel is capable of creating localized logs. 
If the logging applications have localized Log Schema (LSC) files, the File channel can write 
translated log files in the language designated in the File Channel object. 


NOTE: LSC files catalog the events that can be logged for a given application. They can also indicate what 
kind of data is stored in the event fields and provide descriptive information on the event itself. For more 
information, see “Log Schema Files” on page 163. 


For more information on the File channel, see “File” on page 85. 


MySQL Data Store 


When the logging server loads the MySQL Channel object configuration, the MySQL channel 
driver, lgdmsql, automatically creates the data store’s database and table using the names defined 
in the MySQL Channel object. 


The MySQL channel driver builds the data store using the following table structure: 


SourceIP INT UNSIGNED, ClientTimestamp INT UNSIGNED, ClientMS INT UNSIGNED, 
ServerTimestamp INT UNSIGNED, Component VARCHAR(255), EventID INT UNSIGNED, 
Severity SMALLINT UNSIGNED, Grouping INT UNSIGNED, Textl1l VARCHAR(255), Text2 
VARCHAR (255), Valuel BIGINT UNSIGNED, Value2 BIGINT UNSIGNED, MIMEType 
SMALLINT UNSIGNED, DataSize INTEGER UNSIGNED, Data MEDIUMBLOB, Signature 
VARCHAR (255), INDEX(ClientTimestamp), INDEX (EventID) 


The default number of rows depends on the operating system. The default maximum size for a 
MySQL table is 4 GB (or 2 GB if your operating system only supports 2 GB tables). This default 
size limitation keeps pointer sizes down, making the index smaller and faster. 


IMPORTANT: If the SQL server data volume runs out of disk space, any clients logging events will freeze and 
need to be restarted. 


NOTE: If you need larger tables, use the max_rows and avg_row_length commands in the MySQL Channel 
object’s Create Table Options property 


For more detailed information on using MySQL with Nsure Audit, see Appendix B, “Using 
MySQL with Nsure Audit,” on page 167. 


For more information on the MySQL channel, see “MySQL” on page 89. 


Oracle Data Store 


The Oracle channel drive, Igdora, creates the table for the Oracle data store automatically. In most 
circumstances, you do not need to create the data store table. 


If a situation arises requiring you to create this table manually, you can create the data store using 
the following table structure: 


CREATE TABLE LOG ( 
"SOURCEIP" INTEGER NOT NULL, 
"CLIENTTIMESTAMP" INTEGER NOT NULL, 
"CLIENTMS" INTEGER NOT NULL, 
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ED 60 INITRANS 2 STORAGE (INITIAL 40960 


"SERVERTIMESTAMP" INTEGER NOT NULL, 
"COMPONENT" VARCHAR2 (255) NOT NULL, 
"EVENTID" INTEGER NOT NULL, 
"SEVERITY" INTEGER NOT NULL, 
"GROUPING" INTEGER NOT NULL, 
"TEXT1" VARCHAR2 (255), 

"TEXT2" VARCHAR2 (255), 

"VALUE1" INTEGER NOT NULL, 

"VALUE2" INTEGER NOT NULL, 
"MIMETYPE" INTEGER NOT NULL, 
"DATASIZE" INTEGER NOT NULL, 

"DATA" RAW(2000)), 

"SIGNATURE" VARCHAR (255), 
TABLESPACE "USERS" PCTFREE 5 PCTUSI 
NEXT 8192 PCTINCREASE 0) 


For more information on the Oracle channel, see “Oracle” on page 91. 


IMPORTANT: Because Oracle no longer supports NetWare, Oracle data stores can be created only on 
Windows, Solaris, and Linux systems. 


Syslog Data Store 
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The Syslog channel driver, lgdsyslog, allows the logging server to log events to a specific syslog 
facility on any syslog host. 


It is also capable of creating localized logs. If the logging applications have localized Log Schema 
(LSC) files, the Syslog channel can write the log files in the language designated in the Syslog 
Channel object. 


For more information on the Syslog channel, see “Syslog” on page 97. 
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Logging eDirectory, NetWare, and File System 
Events 


Novell® Nsure™ Audit provides the instrumentations necessary to log Novell eDirectory™, 
NetWare®, traditional file system, and NSS events. This section provides the information you need 
to determine which events you should log to protect your corporate assets and how to log those 
events. 


¢ “Instrumentation Files” on page 73 
+ “Logging Events” on page 74 

+ “NetWare Events” on page 75 

+ “File System Events” on page 75 


¢ “eDirectory Events” on page 75 


Instrumentation Files 


The NetWare and eDirectory Instrumentations for Novell Nsure Audit (auditNW and auditDS, 
respectively) allow Nsure Audit to log NetWare, eDirectory, and file system events. 


To enable NetWare and file system logging, auditNW must be loaded on every NetWare server on 
which you want to log NetWare and file system events. To log replicated eDirectory events (such 
as object creation and deletion) on NetWare, Windows, Linux and Solaris systems, auditDS should 
be loaded on one server per DS Replica. To log non-replicated events (such as logins), it must be 
installed on each individual server for which you want to log non-replicated events. 


IMPORTANT: If you load auditDS on more than one server per DS Replica, you will get duplicate entries for 
replicated events. 


Additionally, the Platform Agent must be installed on every server on which you want to log 
NetWare, file system, and eDirectory events. AuditNW and auditDS automatically load the 
Platform A gent (logevent) to send events to the Secure Logging Server. 


On NetWare, auditN W and auditDS are automatically loaded each time the server restarts. On 
Windows, Linux, and Solaris systems, you must manually load auditDS or add auditDS to the 
server startup scripts to begin logging eDirectory events. For information on starting the NetWare 
and eDirectory Instrumentations, see “NetWare and eDirectory Instrumentation Startup 
Commands” on page 177 


Supported Platforms 


The eDirectory Instrumentation can log events from the following versions of the Directory: 
+ NDS® 6.x 
+ NDS 7.x 
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+ NDS 8.x 
¢ eDirectory 8.6 (NetWare, Windows, Linux, and Solaris) 
¢ eDirectory 8.7 (NetWare, Windows, Linux, and Solaris) 


The NetWare Instrumentation can log NetWare and file system events from the following 
platforms: 


+ NetWare 4.2 SP9 
+ NetWare 5.1 SP6 
+ NetWare 6.0 SP3 
+ NetWare 6.5 


Logging Events 


During installation, Nsure Audit extends the definition of the NCP Server object to include log 
settings for eDirectory, NetWare, and file system events. These settings are found under the Nsure 
Audit option in the NCP Server object. 
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The Nsure Audit screen has four different menus: Server, NetWare, Filesystem, and eDirectory. 
The Server menu identifies the Logging Server object associated with the current NCP Server 
object. This menu is for informational purposes only and cannot be modified. The NetWare, 
Filesystem, and eDirectory menus list the events that fall in their respective categories. 


To select which NetWare, File system, or eDirectory events you want to log: 


4 Click Nsure Audit in the NCP Server object. 
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2 Select an event menu (NetWare, Filesystem, or eDirectory). 
3 Mark the check box next to the events you want to log. 
4 Click Apply. 
IMPORTANT: You must click Apply in each screen to save your changes. 
5 When finished, click OK. 


When you click Apply, the logging server automatically begins logging the marked events. 


NOTE: You do not need to restart the logging server to effect changes to Nsure Audit attributes in the NCP 
Server object. 


NetWare Events 


NetWare events are server-specific settings; that is, they must be enabled on each NCP Server 
object in the tree. The NetWare Instrumentation can log NetWare and file system events from 
NetWare 4.2 systems and higher. 


The NetWare Events (http://www.novell.com/documentation/lg/nsureaudit/html/ 
Netware_Events.htm) link opens a table that lists the File System events that can be logged to 
Novell Nsure Audit. 


NOTE: You do not need to restart the logging server to activate your changes in the NetWare menu. 


File System Events 


File System events are server-specific settings; that is, they must be enabled on each NCP Server 
object in the tree. The NetWare Instrumentation logs all traditional and NSS file system activity 
for the selected events. 


NOTE: If you want to filter events on a volume or directory level, you can create Notification filters that select 
events based on the volume or directory listed in the Text2 field. 


The File System Events (http://www.novell.com/documentation/lg/nsureaudit/html/ 
Filesystem_Events.htm) link opens a table that lists the File System events that can be logged to 
Novell Nsure Audit: 


NOTE: You do not need to restart the logging server to activate your changes in the Filesystem menu. 


eDirectory Events 


eDirectory events are partition-specific; that is, they only need to be enabled on one NCP Server 
object per partition. The eDirectory Instrumentation can log events from NDS version 6 or 7 and 
eDirectory 8.5 or higher. 


The eDirectory Events (http://www.novell.com/documentation/lg/nsureaudit/html/ 
eDirectory_Events.htm) link opens a table that lists the eDirectory events that can be logged to 
Novell Nsure Audit: 


NOTE: You do not need to restart the logging server to activate your changes in the eDirectory menu. 


eDirectory events describing attribute changes store the new attribute values in the event’s data 
field. 
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In the case of a few critical events, eDirectory cannot complete the transaction until the 
corresponding event is sent to the Secure Logging Server. This ensures that the transaction is 
logged to the data store. (These events are noted in the event table.) 


eDirectory events such as login and logout are ubiquitous and can quickly fill your data store. 
Therefore, you should monitor your system’s event traffic and configure your data store’s 
expiration or roll policies accordingly. For information on the MySQL channel’s expiration 
properties, see “MySQL Channel Object” on page 90. For information on configuring the File 
channel to purge or roll its log files, see “File Channel Object” on page 86. 
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Overview 


Managing Applications that Log to Nsure Audit 


Novell® Nsure™ Audit is a comprehensive auditing system that is capable of logging events from 
multiple, multi-vendor applications. This section provides the information you need to manage 
your system’s logging applications. 


+ “Overview” on page 77 
+ “Creating Application Objects” on page 77 
+ “Application Objects” on page 78 


Applications that log to or request information from Nsure Audit are represented in Novell 
eDirectory™ by an Application object. Application objects store the information the logging server 
needs to authenticate logging applications. 


NOTE: For more information on the authentication process, see “Authenticating Logging Applications” on 
page 141.. 


In addition to facilitating system authentication and monitoring, Application objects store the 
application’s log schema. The log schema catalogs the events that can be logged for a given 
application. For more information, see “Log Schema Files” on page 163. 


Creating Application Objects 


Typically, Application objects are automatically created in the Application container under 
Logging Services when their associated logging application is installed. 


For example, during installation, Novell Nsure Audit automatically creates Application objects for 
itself (the Naudit Instrumentation), the eDirectory Instrumentation, and the NetWare® 
Instrumentation. Novell Nsure Audit creates these objects in the Application container under 
Logging Services. 


NOTE: The Naudit Instrumentation allows Nsure Audit to audit its own events, such as creating Channel or 
Notification objects. The eDirectory Instrumentation manages logging of eDirectory events, and the NetWare 
Instrumentation (NetWare only) provides logging for NetWare and file system events. For more information on 
the eDirectory and NetWare instrumentations, see Chapter 6, “Logging eDirectory, NetWare, and File System 
Events,” on page 73. 


If necessary, you can also create Application objects using ¡Manager or WebAdmin. If you 
manually create the Application object, you must have the product’s Application Identifier and the 
Application ID. Although these should be available in the product’s documentation, they are also 
included in the product’s Log Schema file. For more information on the Application Identifier and 
Application ID attributes, see “Application Objects” on page 78. For information on using 
¡Manager or WebAdmin, see Chapter 4, “Configuration Tools,” on page 47. 
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You must also create the Application object in an Application container. The Application 
container under Logging Services is automatically created during installation; however, additional 
Application containers can be created anywhere in the tree. 


Creating Application objects in the central Application container under Logging Services is ideal 
for organizations that need a simple, easy-to-manage logging system. It also suits organizations 
that are implementing Nsure Audit as an auditing solution and, for security reasons, want to 
centrally manage their system. 


If you want to distribute logging system administration, however, Application objects can be 
created anywhere in the tree. For example, if administration is divided by logging server, you can 
create an Application container under each Logging Server object. On the other hand, if 
administration is divided by application (for example, one person manages logging for iChain®, 
another DirxML® lo gging, etc.), the Application container can be created in any context assigned 
to its administrator. 


If you create an Application container elsewhere in the tree, you must add that container to the 
logging server’s list of supported containers. At startup, the logging server scans its list of 
supported Application containers and loads the included Application object configurations in 
memory so it can authenticate applications. If an Application object is not in one of the logging 
server’s supported Application containers, it cannot be used to authenticate logging applications. 
For more information on the logging server’s Application Container property, see “Logging 
Server Objects” on page 61. 


IMPORTANT: The logging server loads the Application object configurations at only startup. Therefore, if you 
create a new Application container or Application object, you must first ensure that the Application container 
is included in the logging server’s Application Container list and then restart the logging server. For information 
on restarting the logging server, see “Secure Logging Server Startup Commands’ on page 176. 


Application Objects 


Application objects store the information required by the logging server to authenticate logging 

applications. They also identify which users have rights to monitor the application’s events and 

they store the application’s log schema. 

The following table provides a description of each Application object attribute. 

IMPORTANT: You must restart the logging server to effect any changes in Application object configuration. 


For more information, see “Secure Logging Server Startup Commands” on page 176. 


Attribute Description 


Application Identifier The name the logging application uses to identify itself to the logging server. 


The Application Identifier is also stored in the application’s certificate. For information on how 
the Application Identifier is used in the authentication process, see “Authenticating Logging 
Applications” on page 141. 


The Application Identifier is part of the Component string for every event logged from the 
current application. For more information, see “Event Structure” on page 157. 


This field is automatically populated when the Application object is created during install. If you 
manually create the Application object, you can find the Application Identifier in the application’s 
Log Schema file. For more information, see “Log Schema Files” on page 163. 
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Attribute 


Application ID 


Schema 


Access Control 


Status 


Description 


The four-digit hex value assigned to the current application. 


All Application IDs are assigned through Novell Developer Support and are maintained in the 
Novell Nsure Audit central registry. 


The Application ID is also part of the Event ID for every event logged from the current 
application. For more information, see “Event Structure” on page 157. 


This field is automatically populated when the Application object is created during install. If you 
manually create the Application object, you can find the Application ID in the application’s Log 
Schema file. For more information, see “Log Schema Files” on page 163 


NOTE: The logging server uses the Application ID to manage Access Control. The users 
designated in the Access Control field can monitor all events containing this Application ID. 


This option is available only from the WebAdmin administration tool. For more information see 
“WebAdmin” on page 52. 


This field displays the application's Log Schema file. 


Log Schema (LSC) files catalog the events that can be logged for a given application. They also 
indicate what kind of data is stored in the event fields. 


The information stored in LSC files is required to configure event notifications. It is also used to 
query data and generate reports. 


The users who have rights to monitor the current application’s events. This is for future 
iterations of the product. 


This option allows you to enable or disable the Application object. By default, all Application 
objects are enabled. This means that the logging server loads the Application object's 
configuration in memory at startup. 


IMPORTANT: The Application object must be located in a supported Application container for 
the logging server to use it. For more information on the logging server's Application Container 
property, see “Logging Server Objects” on page 61. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to 
become effective. Thereafter, the logging server cannot load the object’s configuration until you 
mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands’ on page 176. 
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Overview 


Configuring System Channels 


Novell® Nsure™ Audit uses channels to provide event notification and log events. This section 
provides the information you need to configure your system channels. 


+ “Overview” on page 81 
+ “Creating Channel Objects” on page 81 
¢ “Supported Channels” on page 82 
+ “CVR” on page 83 
+ “File” on page 85 
+ “Java” on page 88 
+ “MySQL” on page 89 
+ “Oracle” on page 91 
+ “SMTP” on page 93 
+ “SNMP” on page 95 
+ “Syslog” on page 97 


Channel drivers enable Novell Nsure Audit to log system events and provide event notification. 
Channel drivers, in turn, are configured and managed through Channel objects in Novell 
eDirectory'M, 


Channel objects store the information the logging server needs to use a certain channel. For 
example, MySQL Channel objects include the IP address or host name of the MySQL database 
server, a username and password to connect to the server, the database and table names, and other 
relevant information. SMTP Channel objects, on the other hand, include the IP address or host 
name of the SMTP server, a username and password, and message information (the message 
recipients, sender, subject, and body). 


Creating Channel Objects 


Novell Nsure Audit is designed so you can create multiple Channel objects for any given channel 
driver. This means you can create different channel configurations for different functions or 
events. For instance, you can configure the Logging Server to use one MySQL Channel object to 
add events to the central data store and configure a Notification Filter to use another MySQL 
Channel object to create a filtered log. 


You can create Channel objects using ¡Manager or WebAdmin. For information on using 
¡Manager or WebAdmin, see Chapter 4, “Configuration Tools,” on page 47. 
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You must create Channel objects in Channel containers. The Channel container under Logging 
Services is automatically created during installation; however, additional Channel containers can 
be created anywhere in the tree. 


Creating Channel objects in the central Channel container under Logging Services is ideal for 
organizations that need a simple, easy-to-manage logging system. It also suits organizations that 
are implementing Novell Nsure Audit as an auditing solution and, for security reasons, want to 
centrally manage their system. 


If you want to distribute logging system administration, however, Channel objects can be created 
anywhere in the tree. For example, if administration is divided by logging server, you can create a 
Channel container under each Logging Server object. On the other hand, if administration is 
divided by application (for example, one person manages logging for iChain®, another DirXML® 
logging, etc.), the Channel container can be created in any context assigned to its administrator. 


If you create a Channel container elsewhere in the tree, you must add that container to the logging 
server’s list of supported containers. At startup, the logging server scans its list of supported 
Channel containers and loads the included Channel object configurations and their associated 
drivers in memory so it can provide event notification and log events. If a Channel object is not in 
one of the logging server’s supported Channel containers, it cannot be used to provide event 
notification or log events. For more information on the logging server’s Channel Container 
property, see “Logging Server Objects” on page 61. 


IMPORTANT: The logging server loads the Channel object configurations only at startup. Therefore, if you 
create a new Channel container or Channel object, you must first ensure the Channel container is included in 
the logging server’s Channel Container list and then restart the logging server. For information on restarting 
the logging server, see “Secure Logging Server Startup Commands” on page 176. 
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The NetWare® 6.5 product license authorizes you to use the Nsure Audit program’s SMTP, File, 
and MySQL channels. If you configure and enable the CVR, Java, Oracle, SNMP or Syslog 
channels, Novell Nsure Audit broadcasts licensing notices every 10 minutes to all your configured 
channels. (You do not receive notices for an unlicensed channel that is configured, but disabled.) 
The licensing notice indicates that you should acquire a license when you are done evaluating the 
additional channels. 


By default, Novell Nsure Audit supports eight channels: 


CVR Oracle 
File SMTP 
Java SNMP 
MySQL Syslog 


Additional channels can be easily incorporated in this model. For more information, see the Novell 
Nsure Audit SDK. 


The directory in which the channel drivers (lgd*) are located is defined on the Logging Server 
object; however, the default channel driver directories are as follows: 


Operating System Directory 


NetWare sys:\system\ 
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CVR 


Operating System Directory 


Windows \program files\novell\nsure audit 
Linux /opt/novell/naudit/ 
Solaris /opt/NOVLnaudit/ 


The following sections provide detailed information on each channel. 


IMPORTANT: The CVR channel resets only eDirectory attributes. 


The Critical Value Reset (CVR) channel allows you to flag an attribute in eDirectory with a reset 
policy. If the value of that specific attribute is changed, the CVR channel resets the value as per 
the policy defined in the CVR Channel object. 


The CVR channel can be used to maintain critical system settings or enforce organizational 
policies. For example, if your organization has a policy prohibiting security equivalence, you can 
create a CVR Channel object that automatically resets the Security Equals attribute to a null value. 


It can also be used to provide an added measure of system security. In the event of a security 
breach, the CVR channel can be configured to maintain your critical system settings. 


The CVR channel must be used in conjunction with a notification filter. To optimize event 
processing, the notification filter should be configured to filter only those events that the CVR 
channel can act on. For information on configuring Notification Filters, see Chapter 9, 
“Configuring Filters and Event Notifications,” on page 101. 


CVR Channel Driver 


The CVR driver is lgdcvr. 


When the CVR channel driver receives an event, it looks at the event’s Text2 field to determine if 
the logged attribute matches the attribute defined in the CVR object. If the CVR driver does not 
find a matching attribute in the event’s Text2 field, it then looks in the Textl field. 


If the contents of the Text2 or Text! field match the attribute defined in the CVR object, the driver 
looks in the remaining Text field to find the object to which the attribute belongs. It then locates 
the object in eDirectory and applies the Reset Value defined in the CVR object. 


NOTE: All eDirectory events store the event's attribute in the Text2 field and the object in the Text1 field. 


The reset process is very fast. Typically, an attribute is reset the instant it is saved. In fact, in 
¡Manager or WebAdmin, it simply appears that the change cannot be saved. 


CVR Channel Object 


The CVR Channel object stores the policy and attribute information the CVR driver needs to reset 
a given value. 


The following table provides a description of each Channel object attribute. 


IMPORTANT: You must restart the logging server to effect any changes in Channel object configuration. For 
more information, see “Secure Logging Server Startup Commands” on page 176. 
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Attribute 
Configuration 


User 


Password 


Type 


Attribute 


Reset Value 


Operators +- 


Description 
Configuration information for the CVR Channel object. 


The User object with rights to the CVR Channel object. 


IMPORTANT: The User object must have directory rights to the attribute that the CVR 
Channel object is configured to reset. 


The user account password. 


The type of data the CVR channel can expect as a Reset Value for the attribute designated in 
the Attribute field. The data type must match the Attribute Syntax defined in the directory 
schema. 


Currently, the only supported types are Distinguished Name and String. The Distinguished 
Name type supports only Distinguished Name syntax. The String type, on the other hand, 
supports multiple Attribute Syntax options. They include: 


¢ String 

+ Class Name 

+ Case Exact String 
+ Case Ignore String 
+ Numeric String 

+ Postal Address 

+ Printable String 


+ Telephone Number 


NOTE: The Attribute Syntax for a given attribute can be viewed in the eDirectory schema using 
a directory editing tool such as NDSO Snoop, ConsoleOne?, or iManager. 


The name of the attribute the CVR driver resets. You must enter the attribute name exactly as 
it appears in the eDirectory schema. 


NOTE: You can view the eDirectory schema using a directory editing tool such as NDS Snoop, 
ConsoleOne, or iManager. 


The CVR driver scans events’ Text1 and Text2 fields for matching attributes. When it finds a 
match, the CVR driver applies the reset policy. For more information on this process, see “CVR 
Channel Driver” on page 83. 


The value the CVR Channel driver maintains for a given attribute. 


IMPORTANT: The CVR Channel driver does not validate the reset value syntax. Therefore, 
you must ensure the reset value follows the required attribute syntax. For example, if the 
Attribute Syntax is Telephone Number, the reset value must be a telephone number. 


Click the plus sign (+) to add a new line. Click the minus sign (-) to remove a line. 


Each line defines a separate reset policy. The policies are not accumulative; the CVR driver 
applies each policy independently. 


There is no programmed limit to the number of policies that can be added to a CVR object. 
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Attribute 


Status 


File 


Description 


This option allows you to enable or disable the Channel object. By default, all Channel objects 
are enabled. This means that the logging server loads the Channel object's configuration in 
memory at startup. 


IMPORTANT: The Channel object must be located in a supported Channel container for the 
logging server to use it. For more information on the logging server's Channel Container 
property, see “Logging Server Objects” on page 61. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to 
become effective. Thereafter, the logging server cannot load the object's configuration until you 
mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands” on page 176. 


The File channel allows the logging server to log events directly to file in raw format or to translate 
those events to a human-readable log file. 


The default option is to translate the log files. Raw log files can be translated at a later time using 
the letrans utility. 


Raw files simply contain the event data; consequently, they are not in a human-readable format. 
However, because these comma-delimited files maintain a consistent field structure across events, 
you can import these files into spreadsheet programs like Microsoft* Excel. 


The following is a sample from a raw log file: 


16777343,1051924636,1051924647, eDirInst\Object, 721699,7,0, .OntarioTestData.Channels.Logging 
Services,,0,0,0,L1NhdaHVybiBMb2dnaW5nIFN1cnZ1ci5Mb2dnaW5nIFN1cnZpY2Vz 
16777343,1051924636,1051924647, eDirInst\Object, 721690,7,0, .eDirectoryInstrumentation.Applicat 
ions.Logging Services,,0,0,0,LI1NhdHVybiBMb2dnaW5nIFN1cnZ1ci5Mb2dnaW5nIFN1cnZpY2Vz 
16777343,1051926065, 1051926065, eDirInst\Object, 720897,7,0, .BillBob.SIM,,0,0,1, LmFkbWluLINJTQ= 


Translated log files, on the other hand, can be visually scanned for content; however, it is difficult 
generate reports from these files because there is no consistent field structure—they contain only 
the event descriptions. 


The following is a sample from a translated log file: 


[Sat, 03 May 2003 01:25:10 +0000] eDirInst\Object: A read operation was performed on object 


. Ontario 
[Sat, 03 


TestData.Channels.Logging Services by .Saturn Logging Server.Logging Services 
May 2003 01:25:10 +0000] eDirInst\Object: A list Subordinate Entires operation has 


been performed on container .eDirectory Instrumentation.Applications.Logging Services by 


«Saturn Logging Server.Logging Services 
[Sat, 03 May 2003 01:39:41 +0000] eDirInst\Object: A new eDirectory object called .BillBob.SIM 


(Class:User) 


was created by .admin.SIM 


In addition to providing different log formats, the File channel is capable of creating localized logs. 
If the logging applications have localized log schema files and if those files are added to their 
respective Application objects, the File channel can write translated log files in the language 
designated in the File Channel object. 


NOTE: The Log Schema catalogs the events that can be logged for a given application. It can also provide 
event descriptions and labels for the event fields. For more information, see “Log Schema Files” on page 163. 


The logging server can use the File channel to write the central data store or create filtered log files. 
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File Channel Driver 


At startup, the File channel driver, lgdfile, loads each application’s log schema. If a logging 
application has multiple language versions of its log schema, the File channel loads the schema for 
the language designated in the File Channel object. 


Novell Nsure Audit stores log schema files as attributes in their respective Application objects. For 
further information, see “Log Schema Files” on page 163. 


If the File and Syslog Channel objects reference the same language, the drivers independently load 
the log schema in their own memory. The only time the log schema is shared is between multiple 
instances of the same driver. For example, if you have two File channels configured to write 
translated log files in English, the English log schema for each application is loaded only once. 


When the File channel driver creates a raw log file, it simply writes the events “as is” to the data 
store. 


When it creates a translated log file, the File driver uses the Event ID to look up each event in the 
corresponding application’s log schema and then it writes the event description to the data store. 
If the log schema isn’t available, or if there isn’t a descriptive entry for the current event, the File 
channel defaults to the following format: 


SDC $TC,$SO,$NI,$NL, $NG, $N1,$N2,$SS,$ST\n 


(Client Date and Time Stamp, Component, EventID, Log Level, Group ID, Valuel, Value2, 
Textl, Text2.) See “Event Variables” on page 160 for an explanation of each field and format 
variable. 


Because it uses the log schema to write translated logs, the File driver is also capable of creating 
localized logs. If a logging application has localized log schema files and if those files are added 
to the Application object, the File driver uses the log schema for the language designated in the 
File Channel object to write the event descriptions. For more information on the File channel’s 
language attribute, see “File Channel Object” on page 86. For information on localized log schema 
files, see “Localized Log Schema Files” on page 165. 


Flushing the File Channel Buffers 


On NetWare, the file channel driver writes events to memory and intermittently flushes the events 
to disk. The naudit file flush command forces the file channel driver to flush the events in memory 
to the log file on disk. 


To flush the file channel buffers, enter naudit file flush at the server console 


File Channel Object 


&6 


The File Channel object stores the information the File driver needs to write events to the file 
system. 
The following table provides a description of each Channel object attribute. 


IMPORTANT: You must restart the logging server to effect any changes in Channel object configuration. For 
more information, see “Secure Logging Server Startup Commands” on page 176 
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Attribute 
Configuration 


Log File 


Purge log files after 


seconds 


Roll when log file reaches 
Bytes 


Log Format 


Translated 


Raw 


Description 
File Channel object configuration information. 


The path to the log file. 


The default Log File directories are as follows: 
+ sys:\etc\logdir\ (NetWare) 


¢ \program files\novell\nsure audit\logs\ (Windows) 


+ 


/var/opt/novell/naudit/logs/ (Linux) 
/opt/NOVLnaudit/logs/ (Solaris) 


+ 


IMPORTANT: All file data stores are named “log.” Therefore, if you have multiple File Channel 
objects, you must point them to different paths. 


The life span of the log files. The logging server deletes all log files older than the designated 
time period. 


The log file’s maximum file size. When a log file reaches the designated file size, Igdfile 
renames the file and creates a new log file. 


The archive filename is a combination of the current date and a hexadecimal sequence number 
(l/yy/mm/dd.###). For example, the first log file archived on July 10, 2003 would be named 
1030710.001. Subsequent log files archived on the same day would be named 1030710.002, 
1030710.003, etc. 


The File channel driver can log events in either translated or raw format. Select either 
Translated or Raw to set the logging mode for the current Channel object. 


This is the default option. 


In Translated mode, the File channel driver uses the Event ID to look up each event in the 
application’s log schema and it writes the event description to the data store. 


If the log schema isn’t available, or if there isn’t a descriptive entry for a particular event, the 
File channel defaults to the following format: 


SDC $TC, $S0O, $NI, $NL, $NG, $N1,$N2,$SS,$ST\n 


(Client Date and Time Stamp, Component, EventID, Log Level, Group ID, Value1, Value2, 
Text1, Text2) 


NOTE: Log Schema files (*.Isc) catalog the events that can be logged for a given application. 
They can also provide event descriptions and labels for the event fields. For more information, 
see “Log Schema Files” on page 163. 


Although a translated log file can be visually scanned for content, no reports can be generated 
from this file because there is no consistent field structure; it contains only the event 
descriptions. 


In Raw mode, the File channel driver writes the event data in comma-separated format (csv) to 
the data store. 


The raw log file is not in a human-readable format; however, it can be imported into 
spreadsheet programs like Microsoft Excel. 
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Attribute 


Description 


The language in which events are written to file. 


Translated Language 


Status 


Java 


IMPORTANT: This option is valid only for Translated log files. 


Iflogging applications have localized Log Schema files and if those files are added to their 
respective Application object, the File channel can write Translated log files in the selected 
language. Ifthere isn't a log schema for the selected language, the channel defaults to English. 


You can create parallel logs in multiple languages by defining multiple File Channel objects with 
different languages and having a single notification filter pass events to all those channels. 


This option allows you to enable or disable the Channel object. By default, all Channel objects 
are enabled. This means that the logging server loads the Channel object's configuration in 
memory at startup. 


The Channel object must be located in a supported Channel container for the logging server to 
use it. For more information on the logging server's Channel Container property, see “Logging 
Server Objects” on page 61. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to 
become effective. Thereafter, the logging server cannot load the object's configuration until you 
mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands’ on page 176. 


The Java channel allows the logging server to output filtered events to a Java application. 
Typically, the Java class is a custom application that provides a response to specific types of 
events. For example, if a user login is disabled, the Java channel driver can launch a Java class that 
automatically resets the user account. 


Java Channel Driver 


At startup, the Java driver, lgdjava, attempts to launch the designated Java class. If it is successful, 
that instance of the class remains active until the Java Channel object is disabled or the Secure 
Logging Server is shut down. 


If it cannot launch the Java class, the Java driver refuses to load. This safeguard ensures that no 
events are lost due to misconfiguration. 


NOTE: The Java driver does not buffer events that are undeliverable due to misconfiguration or a server 
failure. 


For information on how to hook your Java class into the Java channel driver, refer to the Java 
channel API in the Novell Nsure Audit SDK (http://developer.novell.com/ndk/naudit.htm). 


Java Channel Object 


The Java Channel object stores the information the Java driver needs to launch a Java class. 


The following table provides a description of each Channel object attribute. 


IMPORTANT: You must restart the logging server to effect any changes in Channel object configuration. For 
more information, see “Secure Logging Server Startup Commands’ on page 176 
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Attribute 
Configuration 


Class Path 


Class Driver 


Status 


MySQL 


Description 
Contains configuration information for the Java Channel object. 


The local path to where the Java application is located. 


The Java class must be located on the current logging server. 
The name of the Java class the Java driver launches. 


This option allows you to enable or disable the Channel object. By default, all Channel objects 
are enabled. This means that the logging server loads the Channel object's configuration in 
memory at startup. 


The Channel object must be located in a supported Channel container for the logging server to 
use it. For more information on the logging server's Channel Container property, see “Logging 
Server Objects” on page 61. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to 
become effective. Thereafter, the logging server cannot load the object's configuration until you 
mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands” on page 176. 


The MySQL channel allows the logging server to log events to a MySQL database. The logging 
server can use the MySQL channel to create the central data store or a filtered database. 


The space you need for your database depends on a number of factors. These include, but are not 
limited to, how many events per second you are storing and how long you want to keep the data. 
The MySQL install, itself, is about 20 MB. (Keep in mind that the MySQL database does not need 
to be on the same volume as the MySQL binaries.) For the data store, a system that generates 
around 80 events per second with an average event size of 80 bytes consumes approximately 500 
MB of disk space for the database table and 150 MB for the index in a 24-hour period. 


NOTE: To enable the MySQL channel, the MySQL client library, libmysgq], is installed with the Secure Logging 
Server. 


For further information, see Appendix B, “Using MySQL with Nsure Audit,” on page 167. 


MySQL Channel Driver 


When the MySQL Channel object configuration is loaded in the logging server’s memory, the 
MySQL channel driver, lgedmsq]l, automatically creates the following table structure for the 
MySQL data store: 


SourceIP INT UNSIGNED, ClientTimestamp INT UNSIGNED, ClientMS INT UNSIGNED, 
ServerTimestamp INT UNSIGNED, Component VARCHAR(255), EventID INT UNSIGNED, 
Severity SMALLINT UNSIGNED, Grouping INT UNSIGNED, Text1 VARCHAR(255), Text2 
VARCHAR (255), Valuel BIGINT UNSIGNED, Value2 BIGINT UNSIGNED, MIMEType 
SMALLINT UNSIGNED, DataSize INTEGER UNSIGNED, Data MEDIUMBLOB, Signature 
VARCHAR (255), INDEX(ClientTimestamp), INDEX (EventID) 
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The default number of rows depends on the operating system. The default maximum size for a 
MySQL table is 4 GB (or 2 GB if your operating system only supports 2 GB tables). This default 
size limitation keeps pointer sizes down, making the index smaller and faster. 


NOTE: If you need larger tables, use the max_rows and avg_row_length commands in the MySQL Channel 
object’s Create Table Options property. 


MySQL Channel Object 


The MySQL Channel object stores the information the MySQL driver needs to write events to a 
MySQL database. 
The following table provides a description of each Channel object attribute. 


IMPORTANT: You must restart the logging server to effect any changes in Channel object configuration. For 
more information, see “Secure Logging Server Startup Commands” on page 176 


Attribute Description 
Host 
Address The IP Address or host name of the database server. 


If a host name is specified, only the first address associated with that name is used. 


If the MySQL channel driver loses its connection with the database server, it tries to reconnect every second for 
30 seconds. If it cannot reconnect, the driver stores its current events in memory, but it does not accept any new 
events until the connection is restored. Incoming events are either stored in the Platform Agents’ Disconnected 
Mode Cache (in the case of the central data store) or dropped (in the case of a Notification Filter database). 


User The user account the logging server uses to log in to the database. 


On NetWare 6.5, MySQL installs in Secure Mode. The default username for the NetWare 6.5 data store is 
“auditusr.” (This default can be changed during the installation of Novell Nsure Audit.) This account has all 
privileges to the default database (naudit) and can log in from any IP address. 


In Secure Mode, the default MySQL administrative account, Root, only has rights to log in at the database server. 
Therefore, if MySQL is running in Secure Mode and you want the logging server to use the Root account to log 
in to the database, MySQL and the Secure Logging Server must be located on the same server and you must 
specify a loopback address (“127.0.0.1” or “localhost”) in the Address field. 


Password The password the logging server uses to authenticate with the database. 


The default password for the NetWare 6.5 data store is “auditpwd.” (This default can be changed during the 
installation of Novell Nsure Audit.) 


Database 

Name The name of the database to which the logging server writes events. The default database name is “naudit.” 
The MySQL driver, lgdmsgq]l, automatically creates this database when the logging server first loads the current 
Channel object configuration in memory. 

Table The database table to which the logging server writes events. The default table is “log.” 


The MySQL driver, Igdmsql, automatically creates this table when the logging server first loads the current 
Channel object configuration in memory. 


For information on the default table structure, see “MySQL Channel Driver’ on page 89. 
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Attribute 
Advanced 


CREATE 
TABLE 
Options 


SQL 
Expiration 
Commands 


Expire at 
specified 
time or 
interval 


Status 


Oracle 


Description 


This property allows you to customize the default table structure using standard SQL Create Table commands. 


For example, the max_rows and avg_row_length commands can be used to increase the maximum size of 
your table as follows: 


max_rows=200000000 avg_row_length=76 


This property enables you to use SQL Expiration commands to automate database maintenance. 


For example, you can automate data archiving by configuring the MySQL channel to automatically save out the 
current table and create a new table at designated intervals. 


For a listing of command variables and sample scripts, see “SQL Expiration Command Variables” on page 168. 


Use a semi-colon (; ) to separate multiple commands that must be executed in sequence. If the commands can 
be executed in any order, no semi-colon is needed. 


WARNING: If you choose the Autoconfigure for MySQL option in the NetWare 6.5 install, the installation 
program automatically creates the MySQL Channel object with a default Expiration script that runs every night 
at midnight and automatically deletes every record older than 12 hours. This is done because the default events 
logged by the NetWare and eDirectory Instrumentations quickly fill the database. To remove this setting, simply 
delete the script from the SQL Expiration Commands property and restart the Secure Logging Server. The script 
reads as follows: 


DELETE FROM $I WHERE clienttimestamp<(unix_timestamp()-43200); 

The frequency at which the expiration command script is executed. 

For daily regimens, select a time of day. (00 is midnight.) 

For weekly regimens, select a day of the week. The expiration commands are executed at midnight on that day. 
For monthly regimens, the expiration commands are executed at midnight on the first day of the month. 


This option allows you to enable or disable the Channel object. By default, all Channel objects are enabled. This 
means that the logging server loads the Channel object’s configuration in memory at startup. 


The Channel object must be located in a supported Channel container for the logging server to use it. For more 
information on the logging server’s Channel Container property, see “Logging Server Objects” on page 61. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to become effective. 
Thereafter, the logging server cannot load the object’s configuration until you mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup Commands” on page 176. 


The Oracle channel allows the logging server to log events to an Oracle database. The logging 
server can use the Oracle channel to create the central data store or a filtered database. 


NOTE: Oracle no longer supports NetWare; therefore, the Oracle Channel object cannot be used in NetWare 
environments. 


For the Oracle channel to function properly, you must install the Oracle client libraries on the same 
server as the Secure Logging Server. 
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Oracle Channel Driver 


The Oracle channel drive, lgdora, creates the table for the Oracle data store automatically. In most 
circumstances, you do not need to create the data store table. 


If a situation arises requiring you to create this table manually, you can create the data store using 
the following table structure: 


CREATE TABLE LOG ( 
"SOURCEIP" INTEGER NOT NU 
"CLIENTTIMESTAMP" INTEGER NOT NULL, 
"CLIENTMS" INTEGER NOT NULL, 
R 
) 


"SERVERTIMESTAMP" INTEGER NOT NULL, 
"COMPONENT" VARCHAR2 (255) NOT NULL, 
"EVENTID" INTEGER NOT NULL, 
"SEVERITY" INTEGER NOT NULL, 
"GROUPING" INTEGER NOT NULL, 
"TEXT1" VARCHAR2 (255), 
"TEXT2" VARCHAR2 (255), 
"VALUE1" INTEGER NOT NULL, 
"VALUE2" INTEGER NOT NULL, 

T 

T 

0 

A 

S 


"MIMETYPE" INTEGER NOT NULL, 
"DATASIZE" INTEGER NOT NULL, 
"DATA" RAW(2000)), 
"SIGNATURE" VARCHAR (255), 
TABLESPACE "USERS" PCTFREE 5 PCTUSED 60 INITRANS 2 STORAGE (INITIAL 40960 
NEXT 8192 PCTINCREASE 0) 


Oracle Channel Object 


The Oracle Channel object stores the information the Oracle driver needs to write events to an 
Oracle database. 


The following table provides a description of each Channel object attribute. 


IMPORTANT: You must restart the logging server to effect any changes in Channel object configuration. For 
more information, see “Secure Logging Server Startup Commands” on page 176 


Attribute Description 
Host 
Address The IP Address or host name of the database server. 


If a host name is specified, only the first address associated with that name is used. 


If the Oracle channel driver loses its connection with the database server, it stores its current 
events in memory, but it does not accept any new events until the connection is restored. 
Incoming events are either stored in the Platform Agent's Disconnected Mode Cache (in the 
case of the central data store) or dropped (in the case of a Notification Filter database). 


User The user name for the account the logging server uses to authenticate with the database. 
Password The password for the account the logging server uses to authenticate with the database. 
Database 

Name The name of the database to which the logging server writes events. 

Table The database table to which the logging server writes events. 
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Attribute Description 


Status This option allows you to enable or disable the Channel object. By default, all Channel objects 
are enabled. This means that the logging server loads the Channel object's configuration in 
memory at startup. 


IMPORTANT: The Channel object must be located in a supported Channel container for the 
logging server to use it. For more information on the logging server's Channel Container 
property, see “Logging Server Objects” on page 61. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to 
become effective. Thereafter, the logging server cannot load the object's configuration until you 
mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands” on page 176. 


SMTP 


The SMTP channel allows the logging server to e-mail logged events. Typically, the SMTP 
channel is used to e-mail system critical events, such as a server abend, to a system administrator’s 
mailbox, cell phone, or other e-mail enabled device. Using SMTP Channel objects with 
notification filters, administrators can keep abreast of what is going on in their system as it 
happens. 


SMTP Channel Driver 


At startup, the SMTP driver, lgdsmtp, performs a server check; that is, the driver attempts to 
connect to the designated host at port 25. The server check verifies the driver can actually 
communicate with the server before it attempts to relay events. If the server check fails, the SMTP 
driver refuses to load. This safeguard ensures that no events are lost due to misconfiguration. 


The SMTP driver does not buffer events that are undeliverable because of a misconfiguration or a 
server failure. 


The SMTP channel driver can send events through servers that require SMTP authentication as 
long as a valid username and password are defined in the Channel object configuration. If the 
username and password are configured, the SMTP driver always attempts SMTP authentication 
when connecting with the relay host. It does not, however, distinguish whether or not this 
authentication is actually successful and it tries to send the message in either case. 


The SMTP driver cannot authenticate with an SMTP server on which SMTP-after-POP is enabled. 


SMTP Channel Object 


The SMTP Channel object stores the information the SMTP driver needs to relay events through 
an SMTP server. 


The following table provides a description of each Channel object attribute. 


IMPORTANT: You must restart the logging server to effect any changes in Channel object configuration. For 
more information, see “Secure Logging Server Startup Commands” on page 176. 
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Attribute 
SMTP Relay Settings 


Host 


User 


Password 


Message Settings 


Sender 


Recipient 


Subject 


Message 


Description 


The host name or IP address of the SMTP server. 


If a host name is specified, only the first address associated with that name is used. 


The user name for the e-mail account the SMTP channel uses to connect to the SMTP server. 


The user name is required only if SMTP Authentication is enabled on the SMTP server. 


The password for the e-mail account the SMTP channel uses to connect to the SMTP server. 


The password is required only if SMTP Authentication is enabled on the SMTP server. 


The name that appears in the From: line for all messages sent from this SMTP Channel object. 
For example, the sender could be Your Logging Server. 


The e-mail addresses to which all events directed through this SMTP Channel object are sent. 
Multiple recipients are delineated with a comma (, ), a space, or a semicolon (; ). 


You can also enter the $S or $T event variables in this field instead of a real address. When 
relaying an event, the SMTP driver replaces these variables with the value of the event's Text1 
or Text2 fields, respectively. (See “Event Variables” on page 160 for more information.) 


As long as the value of the Text1 or Text2 field is an e-mail address, the $S and $T variables 
can be leveraged to automatically send notification messages for user-related events such as 
a password change. 


IMPORTANT: To use the $S and $T variables, you must also configure a Notification Filter 
that directs only those events with an e-mail address in the Text1 or Text2 fields to this SMTP 
Channel object. For information on configuring Notification Filters, see Chapter 9, “Configuring 
Filters and Event Notifications,” on page 101. 


The text that appears in the Subject line for all messages sent from this SMTP Channel object. 
The subject line can contain up to 255 characters. 


The subject line can also contain event variables. The SMTP driver replaces these variables 
with a value from the event’s designated field. For a listing of event variables, see “Event 
Variables” on page 160. 


This field is optional. 


The text that appears in the message body for all messages sent from this SMTP Channel 
object. The message body can be up to 64 KB; however, for performance reasons, this is not 
recommended. 


The message body can contain event variables. The SMTP driver replaces these variables with 
a value from the event’s designated field. For a listing of event variables, see “Event Variables” 
on page 160. 


This field is optional. 
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Attribute 


Status 


SNMP 


Description 


This option allows you to enable or disable the Channel object. By default, all Channel objects 
are enabled. This means that the logging server loads the Channel object's configuration in 
memory at startup. 


The Channel object must be located in a supported Channel container for the logging server to 
use it. For more information on the logging server's Channel Container property, see “Logging 
Server Objects” on page 61. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to 
become effective. Thereafter, the logging server cannot load the object's configuration until you 
mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands” on page 176. 


The SNMP channel allows the logging server to send filtered events to an SNMP management 
system. 


A decoded SNMP trap appears as follows: 


E Bg SNMP: ---— Simple Network Management Protocol (Version 1) ---—— 
Ey SNMP 
{O} SNMP: SNMP Version = 1 
103 SNMP: Community = public 


- LY SNMP: Command 
03 SNMP: Enterprise 
C} SNMP: Network address 
~ (0) SNMP: Generic trap 
{O} SNMP: Specific trap 
(OJ SNMP: Time ticks 


Trap 

cede edo UIA Passa Ea Me ah E a frente Wad 
[LIF65 1597169] 

6 (Enterprise specific) 
655362 

1049518354 


19 SNMP: Object = {2.1.7.29.1975.11.1.1978} (?) 
=} SNMP: Value = I' 


m trapped by event 655362 


00000000: 00 cO 4f ad 28 63 00 cO a8 87 Sf cl 08 00 45 00 .40-(c.4 1_4..E. 
00000010: 00 77 £1 Sc 00 00 80 11 £7 47 89 41 9f a5 89 41 .wAs. .1.=GIAID#IA 
00000020: 9f a9 Da 91 00 a2 00 63 Ba 32 30 59 02 01 00 04 19." .c.c:20Y.... 
00000030: 06 70 75 62 6c 69 63 a4 4c 06 Da 60 86 48 01 86 .publicAL..'1H.1 
00000040: £8 37 01 82 5b 40 04 89 41 9f a9 02 01 06 02 03 e?.1[0.1418..... 
00000050: Oa 00 02 43 04 3e Be 61 12 30 2a 30 28 06 09 51 ...C.>Ia.0x*x0(..0 
00000060: 07? 1d 8f 37 Ob 01 8f 3a 04 1b 49 27 6d 20 74 72 ..17..1:..1'n tr 
00000070: 61 70 70 65 64 20 62 79 20 65 76 65 6e 74 20 36 apped by event 6 
00000080: 35 35 33 36 32 55362 


The trap values are explained in following table. 


SNMP Value Description 

SNMP Version The trap’s SNMP version. The Nsure Audit SNMP driver sends SNMPv1 
traps. 

Community The string, or password, needed to access the SNMP management 
system. 
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SNMP Value Description 


Command The SNMP Command. This is always Trap. 

Enterprise The Enterprise that sent the event is always 2.16.840.1.113719.1.347.3.1 . 

Network address The IP address of the logging server that sent the trap. 

Generic trap The Generic Trap field is always 6 (Enterprise specific). 

Specific trap The Specific Trap field always contains the Event ID of the event that 
triggered the trap. 

Time Ticks The time the event was sent in seconds since 1970. 

Object The Object ID specified in the SNMP Channel object. If no Object ID is 


specified, the Nsure Audit internal OID is used 
(2.16.840.1.113719.1.347.3.1). 


Value The Value associated with the Object is the message configured in the 
SNMP Channel object. 


SNMP Channel Driver 
The SNMP driver sends SNMPv1 traps. 


The SNMP driver does not buffer traps that are undeliverable because of a misconfiguration or a 
server failure. 


SNMP Channel Object 


The SNMP Channel object stores the information the SNMP driver needs to send traps to an 
SNMP management system. 


The following table provides a description of each Channel object attribute. 


IMPORTANT: You must restart the logging server to effect any changes in Channel object configuration. For 
more information, see “Secure Logging Server Startup Commands” on page 176 


Attribute Description 
Configuration 
Send Trap to Host The host name or IP address of the SNMP management system. 
If a host name is specified, only the first address associated with that name is used. 
Community String for Trap The community string, or password, needed to access the SNMP management system. 
If no community string is specified, the driver defaults to “public.” 
Object ID The object you wish to associate with this message. You should enter your own asn1 object id. 
If no Object ID is specified, the Nsure Audit internal OID is used (2.16.840.1.113719.1.347.3.1). 
The Nsure Audit OID is under the CCITT/US/novell tree. 
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Attribute Description 


Message The text that appears in the message body for all traps sent from this SNMP Channel object. 


Because SNMP specifications require that an SNMP packet can be no larger than 500 bytes, 
the message body is limited to 300 bytes. The SNMP driver simply truncates anything over 300 
bytes. 


The message body can contain event variables. The SNMP driver replaces these variables with 
a value from the event's designated field. For a listing of event variables, see “Event Variables” 
on page 160. 


This field is optional. 


Status This option allows you to enable or disable the Channel object. By default, all Channel objects 
are enabled. This means that the logging server loads the Channel object's configuration in 
memory at startup. 


The Channel object must be located in a supported Channel container for the logging server to 
use it. For more information on the logging server's Channel Container property, see “Logging 
Server Objects” on page 61. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to 
become effective. Thereafter, the logging server cannot load the object's configuration until you 
mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands” on page 176. 


Syslog 


The Syslog channel allows the logging server to log events to a specific syslog facility on any 
syslog host or to a remote syslog daemon. 


It is also capable of creating localized logs. If the logging applications have localized Log Schema 
files and if those files are added to their respective Application objects, the Syslog channel can 
write the log files in the language designated in the Syslog Channel object. 


The Log Schema catalogs the events that can be logged for a given application. It can also provide 
event descriptions and labels for the event fields. For more information, see “Log Schema Files” 
on page 163. 


The logging server can use the Syslog channel to write the central data store or to create filtered 
log files. 


Syslog Channel Driver 


At startup, the Syslog driver, lgdsyslog, loads each application’s log schema. If a logging 
application has multiple language versions of its log schema, the Syslog channel loads the schema 
for the language designated in the Syslog Channel object. 


Novell Nsure Audit stores log schema files as attributes in their respective Application objects. For 
further information, see “Log Schema Files” on page 163. 

NOTE: If the File and Syslog Channel objects reference the same language, the drivers independently load 
the log schema in their own memory. The only time the log schema is shared is between multiple instances of 


the same driver. For example, if you have two Syslog channels configured to write log files in English, the 
English log schema for each application is loaded only once. 
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When it writes events to the syslog facility, the Syslog driver uses the Event ID to look up each 
event in the corresponding application’s log schema and then it writes the event description to the 
data store. If the log schema isn’t available, or if there isn’t a descriptive entry for the current event, 
the Syslog channel defaults to the following format: 


SDC $TC, $S0, $NI, $NL, $NG, $N1,$N2,$SS,$ST\n 


(Client Date and Time Stamp, Component, EventID, Log Level, Group ID, Value1, Value2, 
Textl, Text2.) See “Event Variables” on page 160 for an explanation of each field and format 
variable. 


Because it uses the log schema to log events, the Syslog driver is also capable of creating localized 
logs. If a logging application has localized log schema files and if those files are added to the 
Application object, the Syslog driver uses the log schema for the language designated in the Syslog 
Channel object to write the event descriptions. 


For more information on the Syslog channel’s language attribute, see “Syslog Channel Object” on 
page 98. For information on localized log schema files, see “Localized Log Schema Files” on 
page 165. 


Syslog Channel Object 


Attribute 
Configuration 


Syslog Host 


Facility 


The Syslog Channel object stores the information the Syslog driver needs to write events to syslog. 


The following table provides a description of each Channel object attribute. 


IMPORTANT: You must restart the logging server to effect any changes in Channel object configuration. For 
more information, see “Secure Logging Server Startup Commands” on page 176 


Description 


The host name or IP address of the syslog server. 
If a host name is specified, only the first address associated with that name is used. 


The syslog server must be running a syslog daemon that allows remote connections for log 
drop-off. UNIX syslog daemons accept remote connections by default; however, Linux system 
daemons do not. Therefore, the startup script for Linux syslog daemons must be altered to 
explicitly allow remote connections. This is done using the -r switch on syslogd. 


The syslog facility to which the logging server writes events. 
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Attribute 


Log Language 


Status 


Description 


The language in which events are written to syslog. 


If a logging application has localized Log Schema files and if those files are added to the 
Application object, the Syslog channel can write log files in the selected language. If there isn't 
a log schema for the selected language, the channel defaults to English. 


Log Schema files (*.lsc) catalog the events that can be logged for a given application. They can 
also provide event descriptions and labels for the event fields. For more information, see “Log 
Schema Files” on page 163. 


If the log schema isn't available, or if there isn't a descriptive entry for the current event, the 
Syslog channel defaults to the following format: 


SDC $TC,$SO, $NI, $NL, $NG, $N1,$N2,$SS,$ST\n 
(EventID, Log Level, Group ID, Value1, Value2, Text1, Text2) 


Technically, only English is allowed because syslog is a 7-bit protocol. However, most syslog 
implementations support 8-bit, so all 8-bit languages can be selected. However, some 8-bit 
languages, such as Russian, are not very usable in syslog. No 16-bit languages are allowed. 


You can create parallel logs in multiple languages by defining multiple Syslog Channel objects 
with different languages and having a single notification filter pass all events to those channels. 


This option allows you to enable or disable the Channel object. By default, all Channel objects 
are enabled. This means that the logging server loads the Channel object's configuration in 
memory at startup. 


The Channel object must be located in a supported Channel container for the logging server to 
use it. For more information on the logging server's Channel Container property, see “Logging 
Server Objects” on page 61. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to 
become effective. Thereafter, the logging server cannot load the object's configuration until you 
mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands” on page 176. 
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Configuring Filters and Event Notifications 


Using filters and event notifications, Novell® Nsure™ Audit is capable of reporting when a 
specific type of event occurs, or when it does not occur. This section provides the information you 
need to configure your system filters and notifications. 


+ “Overview” on page 77 

+ “Creating Notification Objects” on page 101 
+ “Notification Filters” on page 102 

+ “Heartbeat Objects” on page 104 


Overview 


Nsure Audit provides two kinds of event notification: 
+ Filtered Notification 
+ Heartbeat Notification 


Filtered notification tells you when a specific event has occurred; heartbeat notification tells you 
when an event has not occurred. 


As the name implies, Notification Filter objects filter specific events from the stream of incoming 
events. The filtered events are then routed to one or more channel drivers where they can be logged 
to a database, routed to a Java application or SNMP management system, or broadcast to an 
administrator via SMTP. In some cases, filtered events may be directed to the CVR channel to 
trigger a reset policy. 


Heartbeat objects monitor the stream ofincoming events for the occurrence of a specific Event ID. 
Ifthe event does not occur within the designated interval, the logging server generates a heartbeat 
event (EventID 0001001). This event is automatically logged to the central data store; however, if 
you want to receive notification that a specific event has not occurred, you must create a 
Notification Filter for the corresponding heartbeat event. 


Creating Notification Objects 


Both filtered and heartbeat notifications are configured in Novell eDirectory™ using Notification 
Filter and Heartbeat objects. 


Notification Filter objects store the criteria the logging server uses to filter system events. They 
also designate which Channel objects the logging server uses to provide event notification. 


Heartbeat objects define which Event IDs the logging server is looking for and the interval at 
which those events must occur. You can also define the information that is returned in the heartbeat 
event’s Textl, Text2, Valuel, and Value2 fields. 
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You must create a separate Notification Filter object for every event you want to filter. A single 
Heartbeat object, on the other hand, can monitor multiple events. In fact, you really only need to 
create one Heartbeat object in your logging system. 


You can create Notification Filter and Heartbeat objects using ¡Manager or WebAdmin. For 
information on using ¡Manager or WebAdmin, see Chapter 4, “Configuration Tools,” on page 47. 


You must create Notification Filter and Heartbeat objects in Notification containers. The 
Notification container under Logging Services is automatically created during installation; 
however, additional Notification containers can be created anywhere in the tree. 


Creating Notification objects in the central Notification container under Logging Services is ideal 
for organizations that need a simple, easy-to-manage logging system. It also suits organizations 
that are implementing Nsure Audit as an auditing solution and, for security reasons, want to 
centrally manage their system. 


If you want to distribute logging system administration, however, Notification objects can be 
created anywhere in the tree. For example, if administration is divided by logging server, you can 
create a Notification container under each Logging Server object. On the other hand, if 
administration is divided by application (for example, one person manages logging for iChain®, 
another DirXML? lo gging, etc.), the Notification container can be created in any context assigned 
to its administrator. 


If you create a Notification container elsewhere in the tree, you must add that container to the 
logging server’s list of supported containers. At startup, the logging server scans its list of 
supported Notification containers and loads the included Notification object configurations in 
memory so it can filter events, monitor Heartbeat events, and route notifications to the appropriate 
channels. If a Notification object is not in one of the logging server’s supported Notification 
containers, it cannot use it. For more information on the logging server’s Notification Container 
property, see “Logging Server Objects” on page 61. 

IMPORTANT: The logging server loads only the Notification object configurations at startup. Therefore, if you 
create a new Notification container or Notification object, you must first ensure the Notification container is 


included in the logging server’s Notification Container list and then restart the logging server. For information 
on restarting the logging server, see “Secure Logging Server Startup Commands’ on page 176. 


Notification Filters 


Notification Filter objects define event criteria and designate which Channel objects should be 
used to provide event notification. 


To define Notification Filters, you must be familiar with event structure. All events have a fixed 
set of fields. They include: 


Event ID Value 1 
Severity Value 2 
Component Data 

Text 1 Group 
Text 2 Source IP 


For more information on each event field, see “Event Structure” on page 157. 
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Attribute 


Description 


Rule 


Event Field 


Condition 


Value 


Operator 


Notification Channels 


When you define a Notification Filter, you specify a value for a given event field. To narrow the 
results, you can define values for multiple event fields. Using standard And, Or, and Not operators, 
you can define up to 15 event conditions. 


After you define the event criteria, you must select a notification channel. Notification channels 
are simply the Channel objects the logging server uses to provide event notification. For example, 
if you want to e-mail events to your mailbox, you must select an SMTP Channel object that is 
configured to relay events to your e-mail address. Similarly, if you want to log events to a MySQL 
database, you must select a MySQL Channel object that is configured to write events to the correct 
database and table. You can define multiple notification channels for any given Notification 
object. 


The following table provides a description of each Notification Filter attribute. 


IMPORTANT: You must restart the logging server to effect any changes in Filter object configuration. For 
more information, see “Secure Logging Server Startup Commands” on page 176. 


Description 


This field allows you to enter a description and any necessary explanation for the Notification 
Filter. 


The field limit is 255 characters. 


The information from this field is returned if one uses the SE event variable. For more 
information, see “Event Field Variables” on page 160. 


The Rule defines the filter criteria. 

The event field on which the logging server filters events. 

For more information on the event fields, see “Event Structure” on page 157. 

The condition under which the logging server applies the Value to the Event Field. 


Depending on the Event Field, you can select one of the following conditions from the drop- 
down list box: 


+ Matches 
+ Is less 
+ Is more 


+ Is between 
+ Contains 
The value for the designated Event Field. 


The logging server applies the Value to the designated Event Field under the defined 
conditions. If an event matches the criteria, it is sent to the designated notification channel. 


To narrow the filter results, you can define values for multiple event fields. Using standard And, 
or, and Not operators, you can define up to 15 event conditions. 


The conditions are accumulative; that is, the logging server applies the first condition, then the 
second, then the third, etc., to progressively narrow the results. 


The Channel objects the logging server uses to provide event notification. You can select 
multiple notification channels for any given Filter object. 


Click the Object Selector button [XJ to select Channel objects in the tree. 
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Attribute Description 


Status This option allows you to enable or disable the Notification Filter. By default, all Notification 
Filters are enabled. This means that the logging server loads the filter's configuration in memory 
at startup. 


IMPORTANT: The Notification Filter object must be located in a supported Notification 
container for the logging server to use it. For more information on the logging server's 
Notification Container property, see “Logging Server Objects” on page 61. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to 
become effective. Thereafter, the logging server cannot load the object's configuration until you 
mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands” on page 176. 


Heartbeat Objects 


Heartbeat objects define which Event IDs the logging server is looking for and the interval at 
which those events must occur. You can also define the information that is returned in the heartbeat 
event’s Textl, Text2, Valuel, and Value2 fields. 


If an event does not occur within the designated interval, the logging server generates a heartbeat 
event (EventID 0001001). The information in the Heartbeat object's Textl, Text2, Valuel, and 
Value2 fields is used to populate the corresponding fields in the heartbeat event. The Notification 
Filter can differentiate heartbeat events based on the values you define in the Text1, Text2, Valuel, 
and Value2 fields. 


The heartbeat event is automatically logged to the central data store; however, if you want to 
receive notification that a specific event has not occurred, you must create a Notification Filter for 
the corresponding heartbeat event. 


The following table provides a description of each Heartbeat object attribute. 


IMPORTANT: You must restart the logging server to effect any changes in Heartbeat object configuration. 
For more information, see “Secure Logging Server Startup Commands” on page 176. 


Attribute Description 
Description This field allows you to enter a description and any necessary explanation for the Heartbeat 
object. 


The field limit is 255 characters. 


Event ID The Event ID you want the logging server to monitor. 


The Event ID uniquely identifies each type of logged event. For more information, see “Event 
Structure” on page 157. 


If a logging application does not log the Event ID within the designated interval, the logging 
server generates a heartbeat event. 


IMPORTANT: The Event ID is not included in the heartbeat event. Therefore, you should enter 
information in the Text1, Text2, Value1, and Value2 fields that allows you to determine which 
event triggered the heartbeat event. 
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Attribute 


Interval 


Text1 


Text2 


Value1 


Value2 


Operators +- 


Status 


Description 


The maximum number of seconds between each event occurrence. 


If the event does not occur within the designated interval, the logging server generates a 
heartbeat event. 


The information that appears in the heartbeat event's Text1 field. It can contain any text string 
up to 255 characters. 


To facilitate filtering of heartbeat events, the Text1, Text2, Value1, and Value2 fields should 
include information that allows you to identify which event triggered the heartbeat event. 


The information that appears in the heartbeat event's Text2 field. It can contain any text string 
up to 255 characters. 


The information that appears in the heartbeat event’s Value’ field. It can contain any numeric 
value up to 32 bits. 


The information that appears in the heartbeat event’s Value2 field. It can contain any numeric 
value up to 32 bits. 


Click the plus sign (+) to add a new line. Click the minus sign (-) to remove a line. 


Each line defines a separate event for the logging server to monitor. If a given event does not 
occur, the logging server generates a unique heartbeat event using the information from the 
Text1, Text2, Value1, and Value2 fields. 


There is no programmed limit to the number of events that can be added to Heartbeat objects. 


This option allows you to enable or disable a Heartbeat object. By default, all Heartbeat objects 
are enabled. This means that the logging server loads the object’s configuration in memory at 
startup. 


IMPORTANT: The Heartbeat object must be located in a supported Notification container for 
the logging server to use it. For more information on the logging server’s Notification Container 
property, see “Logging Server Objects” on page 61. 


If you mark the Disabled option, you must restart the Secure Logging Server for the setting to 
become effective. Thereafter, the logging server cannot load the object’s configuration until you 
mark Enabled. 


For information on unloading the logging server, see “Secure Logging Server Startup 
Commands’ on page 176. 
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Generating Queries and Reports 


Logging information is only half the battle. Obviously, you have to be able to access and 
understand your log data for the information to be useful. Queries and reports allow you to view 
and interpret the information in your data store. 


Novell® Nsure™ Audit provides two tools that can be used to run queries or reports on your data 
stores. They are ¡Manager and Nsure Audit Report. The following sections provide the 
information you need to generate queries and reports in each tool. 


+ “Using ¡Manager to Generate Queries” on page 107 


+ “Using Nsure Audit Report” on page 117 


¡Manager and Nsure Audit Report are not the only tools that can be used to access log data. 
Because Novell Nsure Audit logs events to standard systems (MySQL, Oracle, syslog, and text 
files), you can directly access log data using any tool that is standardized to those systems. For 
example, you can access data in MySQL and Oracle systems using ODBC or JDBC* tools and text 
files can be opened with a standard text reader such as Windows Notepad or VIM (UNIX). 


Using ¡Manager to Generate Queries 


Novell ¡Manager is a Web-based application that is used to manage, maintain, and monitor Novell 
eDirectory™ through wired and wireless devices. With the Novell Nsure Audit plug-in module, 
¡Manager can be used to manage Nsure Audit objects in eDirectory. 


IMPORTANT: The Nsure Audit plugin module only supports ¡Manager 2.0. 


In addition to managing Nsure Audit objects, the Nsure Audit plug-in module allows you to create 
and run queries in iManager. Using the Query Configuration and Queries tasks under the Nsure 
Audit role, you can perform the following tasks: 


+ “Defining Your Query Databases in iManager” on page 108 

+ “Setting Your Global Options in iManager” on page 109 

+ “Importing and Viewing Log Events in iManager” on page 110 
+ “Defining Queries in iManager” on page 111 

+ “Running Queries in iManager” on page 115 

+ “Exporting Query Results in ¡Manager” on page 116 

+ “Printing Query Results in iManager” on page 117 


NOTE: For a general introduction to the ¡Manager interface or information on installing and opening iManager, 
see “iManager” on page 47. 
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Defining Your Query Databases in ¡Manager 


Before you can query a database, ¡Manager needs to know where to find the data store and how to 
communicate with the database. This information is stored in the database definition. Every 
database you want to query must have its own database definition in iManager. 


IMPORTANT: The database definitions you create in iManager are stored in the User object you use to log 
in to iManager. Consequently, they are not available to other users on the system. 


To create a database definition in iManager: 
1 Open the Query Configuration task. 
a Click the Roles and Tasks button on the iManager toolbar. 
1b In the Roles and Tasks view, expand the Nsure Audit role. 
Ae Click the Query Configuration task. 
2 In the Query Configuration screen, click Databases > New. 
3 Inthe New Database menu, enter the database information. 
See the table below for a description of each field. 
4 When finished, click OK. 
The new database definition now appears in the Database Name list. 


The following table provides a description of each field in the database definition. 


Field Description 


Name The name you want to use to refer to this database. 


This name appears in the Database Name list. 


JDBC Class The name of the JDBC driver that iManager uses to communicate with the database. Any 
JDBC-compliant driver can be used. ¡Manager ships with the com.mysql.jdbc. Driver JDBC 
driver for MySQL databases. The driver name is case sensitive. 


The JDBC driver must be located in the iManager class path. On NetWare®, this is 
sys:\tomcat\4\commonl\lib . 


Host The IP address or host name of the database server. 
The host must be entered in the following format: 
jdbc:mysql://database_host 


“jdbc:mysal://” indicates the communication protocol iManager uses to connect with the 
database server. 


Port The port at which iManager connects to the database server. 


If this field is left blank, iManager uses the database’s default port assignment. The default port 
assignment for MySQL is 3306. 


Database The name of the database iManager queries. 


In Novell Nsure Audit, database names are defined in the MySQL and Oracle Channel objects. 
The default database name is naudit. 


If you have multiple MySQL or Oracle Channel objects, you must create a separate database 
definition for each data store. 


108 Novell Nsure Audit 1.0.1 Administration Guide 


Field Description 
Table The name of the table ¡Manager queries. 


In Novell Nsure Audit, table names are defined in MySQL and Oracle Channel objects. The 
default table name is log. 


If you have multiple MySQL or Oracle Channel objects, you must create a separate database 
definition for each data store. 


Username The user name iManager uses to authenticate with the database. 


The default username for the NetWare 6.5 data store is auditusr. (This default can be changed 
during the installation of Novell Nsure Audit.) This account has all privileges to the default 
database (naudit) and can log in from any IP address. 


By default, MySQL installs in Secure Mode on NetWare 6.5. In Secure Mode, the default 
MySQL administrative account, Root, has rights to log in only at the database server. 
Therefore, if MySQL is running in Secure Mode and you want iManager to use the Root account 
to log in to the database, MySQL and the iManager Web server must be located on the same 
server and you must specify a loopback address (“127.0.0.1” or “localhost”) in the Host field. 


Password The password the logging server uses to authenticate with the database. 


The default password for the NetWare 6.5 data store is auditpwd. (This default can be changed 
during the installation of Novell Nsure Audit.) 


IMPORTANT: If you do not specify a different default password during the installation, new 
databases can be created and accessed using the default username and password. To prevent 
this, specify a different default password during the install. 


Store Password Stores the password the logging server uses to authenticate with the database. This enables 
iManager to automatically log in to the database. 


If you do not mark the Store Password option, you must enter the password each time you run 
a query on the current database. 


Editing and Deleting Database Definitions 


After you have created a database definition, you can edit or delete the definition by marking the 
check box next to the database, then clicking Edit or Delete. 


NOTE: Deleting a database definition does not affect the actual database. It only removes the database from 
the Query Configuration task’s Database list, which means that iManager can no longer query the database. 


Setting Your Global Options in iManager 


The Global Options screen allows you to set a default limit on the number of rows returned in the 
query results. 


To set a default query limit in iManager: 
1 Open the Query Configuration task. 
a Click the Roles and Tasks button on the iManager toolbar. 
1b In the Roles and Tasks view, expand the Nsure Audit role. 
Ae Click the Query Configuration task. 
2 In the Query Configuration screen, click Global Options. 
3 In the Global Options screen, specify your default query limit. 
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Option 
Limit Query Result To 


Default Sort Order 


Date/Time Format 


4 When finished, click OK. 


The Global Options screen also includes the default sort order and date time format; however, 
these options cannot be modified in the current release. 


The following table provides an explanation of each option in the Global Options screen. 


IMPORTANT: These are global settings. This means that ¡Manager automatically adds these parameters to 
all database queries unless the parameter is expressly defined in the query statement. 
Description 


This option limits the number of rows (that is, records) that are returned from a database query. 


¡Manager does not have a default sort order. 
You can sort the records in the query results screen by clicking a column heading. 
This option cannot be modified in the current release. 


¡Manager formats all time and date information in RFC822 UTC format. RFC822 is the Internet 
standard format for electronic mail message headers. All time and date values are expressed 
in UTC rather than local time. 


This option cannot be modified in the current release. 


Importing and Viewing Log Events in iManager 


The Product Events screen lists the events associated with each logging application. The 
information provided on events and event fields is required to define query statements, 
Notification Filters, and Heartbeat Notifications. 

NOTE: For an explanation of event fields, see “Event Structure” on page 157. For information on defining 


Notification Filters and Heartbeat Notifications, see Chapter 9, “Configuring Filters and Event Notifications,” on 
page 101. 


However, before you can view a logging application’s events, you must first import its log schema. 
The log schema (LSC) file catalogs the events that can be logged for a given application. It also 

provides the event descriptions and field labels that iManager uses in its query results. For more 
information, see “Log Schema Files” on page 163. 


Importing Log Schemas 


To import a logging application’s log schema in iManager: 
1 Open the Query Configuration task. 
a Click the Roles and Tasks button on the iManager toolbar. 
1b In the Roles and Tasks view, expand the Nsure Audit role. 
Ae Click the Query Configuration task. 
2 In the Query Configuration screen, click Product Events. 
3 Provide the distinguished name (DN) of the Secure Logging Server. 


If you have multiple logging servers, enter the distinguished name of the logging server that 
loads the Application object configuration at startup. For an explanation, see Chapter 7, 
“Managing Applications that Log to Nsure Audit,” on page 77. 


3a Click the Object Selector button to locate the object in the directory tree. 
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To move up or down in the tree, click the navigation arrows. You can also search the tree 
by entering the object name and context in the Search frame. 


NOTE: ¡Manager only links valid entries. 


3b Click the Object History button to see a list of Logging Server objects that have been 
selected during this ¡Manager session. 


4 From the drop-down list, select which language version of the log schema you want to import. 


If an application does not have a log schema for the selected language, ¡Manager imports 
nothing. 


5 Click Update. 


When you click Update, ¡Manager locates the Logging Server object in the Directory, scans 
the logging server’s supported Application containers, and imports the log schemas from the 
Application objects in those containers. For more information, see “Application Objects” on 
page 78. 


The logging applications and their associated events now appear in the Product Name list. 


Viewing Product Events 

1 Open the Query Configuration task. 
1a Click the Roles and Tasks button on the iManager toolbar. 
1b In the Roles and Tasks view, expand the Nsure Audit role. 
Ae Click the Query Configuration task. 

2 In the Query Configuration screen, click Product Events. 

3 In the Product Events screen, click the plus icon I+ next to the product name. 
This exposes the application’s associated events. 
NOTE: Only those events cataloged in the application’s log schema appear in this list. 


4 Select an event to view the Event ID, description, and field definitions. 


For more information on event fields, see “Event Structure” on page 157. 


Defining Queries in ¡Manager 


¡Manager uses queries to request information from MySQL and Oracle databases. All queries are 
defined in SQL. Although you must be familiar with the SQL language to create SQL query 
statements, this is the most powerful and flexible query method. 


¡Manager includes several predefined queries and it includes a Query Builder to help you define 
basic query statements. Of course, you can also build your own query statements. 


You can create two kinds of queries in iManager: manual queries and saved queries. Manual 
queries are simply queries that are not saved; they only run one time. Saved queries are saved in 
the Query list and can be run again and again against different databases. 


IMPORTANT: Saved queries are stored in the User object you use to log in to iManager. Therefore, they are 
not available to other users on the system. 


The following sections provide the information you need to perform the following tasks: 


+ Use Predefined Queries 
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Create Manual Queries 

Create Saved Queries 

Create Saved Queries Using the Query Builder 
Modify and Delete Saved Queries 


Using Predefined Queries 


¡Manager includes several predefined queries. You can modify these queries or run them "as is." 


1 


Open the Queries task. 

1a Click the Roles and Tasks button on the iManager toolbar. 
1b In the Roles and Tasks view, expand the Nsure Audit role. 

Ae Click the Queries task. 


2 Select the predefined queries from the Query list. 
The following table lists the queries that ship with iManager and their functions. 
Query Function 
All Returns all events in the current data store. 
All last hour Returns all events that occurred within the last hour. 
Count Returns the total number of events logged to the current data 
store. 
Distribution Returns the number of times each Event ID has occurred in the 


current data store. 


Creating Manual Queries 


To create a manual query in iManager: 


1 


a A WO N 


Open the Queries task. 

a Click the Roles and Tasks button on the iManager toolbar. 

1b In the Roles and Tasks view, expand the Nsure Audit role. 

Ae Click the Queries task. 

Click Manual Query. 

Select the database you want to query. 

In the Name field, specify the name you want to appear as the title in the query results. 
Define the query statement in the Query window. 

For basic information on building SQL queries, see “Basic SQL Query Syntax” on page 169. 


You do not need to include a FROM clause in your query statement. iManager dynamically 
builds the FROM clause using the table specified in the database definition you select when 
you run the query. However, if the query statement does include a FROM clause, iManager 
queries the table defined in the query statement. 


Click Run Query to run the query. 
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Creating Saved Queries 


To create a saved query in ¡Manager: 


1 


6 
The 


Creating Saved Queries 


Open the Queries task. 

a Click the Roles and Tasks button on the ¡Manager toolbar. 

1b In the Roles and Tasks view, expand the Nsure Audit role. 

Ae Click the Queries task. 

Click New. 

In the Name field, specify the name you want to use to refer to this query. 
The query name appears in the Query list and in the query results? title. 
Define the query statement. 

4a Create the query using the Query Builder. 


For specific information on the Query Builder, see “Creating Saved Queries Using the 
Query Builder” on page 113. 


or 
4b Write the query statement in the Query SQL Statement window 


For basic information on SQL query statements, see “Basic SQL Query Syntax” on 
page 169. 


You do not need to include a FROM clause in your query statement. ¡Manager 
dynamically builds the FROM clause using the table specified in the database definition 
you select when you run the query. However, ifthe query statement does include a 
FROM clause, ¡Manager queries the table defined in the query statement. 


Mark Translate Column Titles if you want to label the column headings in the query results 
screen with the field titles defined in the log schema. 


We recommend that you mark this option only for queries that return one type of event. If you 
mark this option for queries that return multiple types of events, Nsure Audit Report labels the 
column headings with the field titles from the last event returned in the query. 


IMPORTANT: For this option to work, you must import each application's log schema. For information, 
see “Importing Log Schemas” on page 110. 


When finished, click OK. 


query now appears in the Query list. 


Using the Query Builder 


If you are unfamiliar with the SQL query language, you can use the Query Builder to help you 
define basic saved queries. The Query Builder simplifies the process of creating a query by 
allowing you to choose from lists of predefined parameters. The Query Builder then constructs the 
query statement from the parameters you select. 


To open the Query Builder fields, select And in the initial drop-down list. 
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3 New Query - Microsoft Internet Explorer 


New Query 


Name * 


*=required 


ee 


Query Builder 


[Event ID +] [Matches +] feDireciory Seal [all +] [Done y] 


Query SQL Statement * 


I Translate column titles 


Because the Query Builder can provide only a limited set of parameters, the queries it creates are 
very simple. However, it is the easiest way to create saved queries and it is capable of creating most 
base-level queries. 


The following table reviews the options in the Query Builder. 


Parameter Description 

Event Field The event field you want to query. You can select the following options from the drop-down list: 
+ Event ID 
+ Time Frame 
+ Component 


+ 


° 


+ 


+ 


Text1 or Text2 
Source IP 
Severity 


Value or Value 2 


For more information on the event fields, see “Event Structure” on page 157. 


114 Novell Nsure Audit 1.0.1 Administration Guide 


Parameter 


Condition 


Product 


Value 


Operator 


Arrows 


Description 
The condition under which the logging server applies the Value to the Event Field. 


Depending on the Event Field, you can select the following conditions from the drop-down list 
box: 


+ matches 
+ less than 
+ greater than 
+ begins with 
+ contains 


+ is between and 


Limits the query results to a specific logging application. 


This option is available only if you select the Event ID field. 


The value for the designated event field. 


The query statement applies the Value to the designated Event Field under the defined 
conditions. If an event matches the criteria, it is returned in the query results. 


If you select Event ID in the Event field and if the designated product's log schema provides 
event descriptions, ¡Manager displays the event descriptions rather than the Event IDs; 
however, the events are still sorted by their numeric Event ID. Therefore, the event descriptions 
are not listed in alphabetical order, but related events are grouped together. 


To narrow the query results, you can define values for multiple event fields. Using standard and/ 
or operators, you can define multiple event conditions. The done operator indicates the end of 
the query statement. 


The conditions are accumulative; that is, the logging server applies the first condition, then the 
second, then the third, etc., to progressively narrow the results. 


The down-arrow moves the query down into the Query SQL Statement window. ¡Manager 
builds an SQL query statement from the parameters you define in the Query Builder. 


The up-arrow moves an SQL query statement from the Query SQL Statement window to the 
Query Builder. If the query statement includes clauses that are outside the scope of the Query 
Builder, ¡Manager returns the error SOL statement is too complex to use builder. 


Modifying and Deleting Saved Queries 


After you have created a saved query, you can edit or delete the query by marking the check box 
next to the query name and clicking Edit or Delete. 


Running Queries in ¡Manager 


4 Open the Queries task. 
1a Click the Roles and Tasks button on the ¡Manager toolbar. 
1b In the Roles and Tasks view, expand the Nsure Audit role. 
Ae Click the Queries task. 


2 Select the database you want to query from the drop-down list. 
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Queries 


For information on creating Database definitions, see “Defining Your Query Databases in 
iManager” on page 108. 


3 Mark the query you want to run. 
4 Click Run Query. 


¡Manager returns the query results in a data table; rows represent individual records and columns 
represent fields within those records. You can click any of the column headings to sort the results 
by that field. 


Step 2 of 2: Query results 


You may export and print results by clicking on the corresponding links below. 


Wayne's MySQL - all events 


Export Results | Printer Friendly 


SourcelP ClientTimestamp ClientMS ServerTimestamp Component EventID Severity Grouping Text1 

127.0.0.1 ou 10 me 0 ey Cg Object Obs Info 0 .«smtp.Channels.Logging Services 
E a danae de Cate e a Notation. Lees 
ous 12,203 g zun ara eDirinst Add Value Info 0 .WRUST-JC. novell 
ot S003 A eDirinst Add Value Info 0 [Root]. 

127.0.0.1 Jun CN ge eDirinst add Value Info 0 [Root]. 

127.0.0.1 8 g eae ebirinst | Add Value Info 0 [Root]. 

127.0.0.1 Jun 1 S003 o ieee eDirinst Add Value Info 0 [Root]. 

127.0.0.1 20 18 2003 g Jun 12, 2003  eDirlnst Delete Value Info 0 WRUST-JC, novell 


4 


If you marked the Translate Column Titles option when you defined the query, iManager labels 
the query results with the field titles defined in the log schema. iManager also displays each event’s 
field titles as you mouse over the event fields. 


NOTE: It is recommended that you only mark the Translate Column Titles option for queries that return one 
type of event. If you mark this option for queries that return multiple types of events, Nsure Audit Report labels 
the column headings with the field titles from the last event returned in the query. For more information on the 
Translate Column Titles option, see “Creating Saved Queries” on page 113. 


Exporting Query Results in iManager 


iManager can export query results in the following formats: 
+ HTML file (*.htm) 
+ Comma-Separated Text file (*.csv) 


+ Tab Delimited Text file (*.txt) 


To export query results in ¡Manager: 


1 Run a query. 
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For step-by-step instructions, see “Running Queries in ¡Manager” on page 115. 
2 Within the query results screen, click Export Results. 
3 Select the export format, then click OK. 

¡Manager brings up a Save As dialog box. 
4 Select the directory location and specify the file name. 


5 Click Save. 


Printing Query Results in ¡Manager 
1 Run a query. 
For step-by-step instructions, see “Running Queries in ¡Manager” on page 115. 
2 Within the query results screen, click Printer Friendly. 
¡Manager opens another window with the query results formatted in an HTML table. 


3 Click File > Print. 


The query results are printed to your default printer. 


Using Nsure Audit Report 


IMPORTANT: Nsure Audit Report is included with NetWare 6.5 for evaluation purposes only. It displays a 
licensing notice and terminates after 10 minutes of use until you install a valid license. 


Nsure Audit Report is a Windows-based, ODBC-compliant application that can use SQL query 
statements or Crystal Decisions Reports to query Oracle and MySQL data stores (or any other 
database that has ODBC driver support). You can define your own SQL query statements or 
import existing query statements and reports. Some logging applications might also include their 
own predefined queries or reports. Query results are returned in simple data tables; rows represent 
individual records and columns represent fields within those records. 


This section provides the information you need to use Nsure Audit Report to generate queries and 
reports. It includes 


+ “Installing Nsure Audit Report” on page 118 

+ “Launching Nsure Audit Report” on page 118 

+ “Nsure Audit Report Interface” on page 118 

+ “Defining Your Databases in Nsure Audit Report” on page 119 

¢ “Setting Default Options in Nsure Audit Report” on page 121 

+ “Importing and Viewing Events in Nsure Audit Report” on page 123 
+ “Verifying Event Authenticity in Nsure Audit Report” on page 125 
+ “Working with Reports in Nsure Audit Report” on page 127 

+ “Working with Queries in Nsure Audit Report” on page 129 
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Installing Nsure Audit Report 


Nsure Audit Report is installed with NetWare 6.5. For information on the Windows install, see 
“Installing Novell Nsure Audit on Windows” on page 40. 


The Nsure Audit Report program file, Ireport.exe, is installed to the program files\novell\nsure 
audit directory. 


Launching Nsure Audit Report 


During installation, Nsure Audit Report is added to the Start menu. To start Nsure Audit Report 
from the Start menu, click Start > Programs > Nsure Audit Reporting Application. 


Nsure Audit Report Interface 


Y Nsure Audit Report 
File Edit Query View Window Help 


Ta} 
a Y 
E 


Sy 


AAA Bars 


2 Workspace 


The Workspace window includes four panes: 


+ The Queries pane lists your defined queries. You can create, delete, or run queries in this pane. 
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+ The Reports pane lists the predefined Crystal Reports. You can import or run reports in this 
pane. 


+ The Events pane lists your logging applications and their associated events. You can run 
distribution reports or count an application’s overall events in this pane. 


You must import the applications” log schemas before they appear in the Events pane. For 
more information, see “Importing Log Schemas” on page 123. 


+ The Databases pane lists the databases that you can query. 


You must define your databases before they appear in the Database pane. For more 
information, see “Defining Your Databases in Nsure Audit Report” on page 119. 


To move between panes, simply click the tabs at the bottom of the Workspace window. You can 
also open each pane from the View menu. 


The Status Bar displays the currently selected database and table. You can click these fields to 
select another database or table. 


Defining Your Databases in Nsure Audit Report 


Nsure Audit Report allows you to run queries and reports on any ODBC Data Source defined in 
your Windows registry. 


To define your Windows Data Sources, go to the Windows Start menu and click Settings > Control 
panel > Administrative Tools > Data Sources. There you can add, remove, and configure your 
ODBC Data Sources. For more information, see Windows Help. 


After you have defined an ODBC Data Source in Windows, you can add the Data Source to your 
list of available databases in Nsure Audit Report. 


To add a Data Source to your list of available databases in Nsure Audit Report: 
1 Click File > New > Database. 
You can also right-click in the Database pane and select Insert from the shortcut menu. 
2 In the Name field, specify the name you want to use to refer to this database. 
3 Click Browse. 
4 In the Select Data Source window, click Machine Data Source. 


5 Select the Windows Data Source Name (DSN) you want to be able to query in Nsure Audit 
Report. 


6 Specify the username and password Nsure Audit Report can use to authenticate with the 
database. 


If you leave this field blank, Nsure Audit Report uses the username and password defined in 
the Data Source. 


IMPORTANT: The only time you need to specify a username and password is if your Data Source driver 
does not define the username and password or ifthe username defined in the Data Source does not have 
rights to log in from the current workstation. 


7 When finished, click OK. 
The Data Source now appears in the Database pane and can be selected for queries and reports. 


The following table provides further information on the options in the Define Database menu. 
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Option 


Name 


DSN 


Username 


Password 


Do Not Store Password 


Description 
The name you want to use to refer to this Data Source. 
This name appears in the Databases pane. 


The Windows Data Source Name (DSN) you want to add to your database list. 


For information on defining your Windows Data Sources, refer to Windows Help. 


The username Nsure Audit Report uses to authenticate with the database. 


If you leave this field blank, Nsure Audit Report uses the username and password defined in 
the Data Source. 


The only time you need to enter a username and password is if your Data Source driver does 
not define the username and password or if the username defined in the Data Source does not 
have rights to log in from the current workstation. 


In some cases, the username and password defined in the Data Source might not have rights 
to log in from the current workstation. For example, in Secure Mode, the default MySQL 
administrative account, Root, only has rights to log in at the database server. Therefore, if 
MySQL is running in Secure Mode, you either need to create a new user account with rights to 
log in from the current workstation or you must modify the rights for the Root account. (By 
default, MySQL installs in Secure Mode on NetWare 6.5.) 


The default username for the NetWare 6.5 data store is auditusr. (This default can be changed 
during the installation of Novell Nsure Audit.) This account has all privileges to the default 
database (naudit) and can log in from any IP address. 


The password Nsure Audit Report uses to authenticate with the database. 


NOTE: The default password for the NetWare 6.5 data store is “auditpwd.” (This default can 
be changed during the installation of Novell Nsure Audit.) 


By default, Nsure Audit Report stores the password the logging server uses to authenticate with 
the database. This enables Nsure Audit Report to automatically log in to the database. 


IMPORTANT: If you mark the Do Not Store Password option, you must enter the password 
each time you run a query on the current database. 


Editing and Deleting Data Sources 


To modify or delete a Data Source in Nsure Audit Report: 
1 In the Databases pane, select the Data Source you want to modify or delete. 
2 Right-click to bring up the quick menu. 
3 Modify or delete the Data Source. 
3a Select Properties to modify the Data Source. 
3b Select Delete to delete the Data Source 


NOTE: Deleting a Data Source does not affect the Data Source definition in the Windows registry. 
It only removes the Data Source from the Database list, which means Nsure Audit Report can no 
longer query or run reports on the database. 
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Defining Your Default Database and Table 


Your default database is automatically used for all queries and reports unless a specific database 
is designated in the query statement or another database is selected in the Database pane. 


To define your default database: 
4 Click the Database field on the Status bar. 
2 Select the default database from the list. 


You can also select the database in the Database pane, right-click, and select Set As Default 
Database or choose Query > Default Database from the menu bar. 


To define your default table: 
4 Click the Table field on the Status bar. 
2 Select the default table from the drop-down list, then press Enter. 


You can also click Query > Default Table from the menu. 


Setting Default Options in Nsure Audit Report 


Option 
General 


Default Sort Order 


Result 
Clipboard 


Copy All If No Entries 
Selected 


Copy 'Raw Instead of 
Translated Data 


Copy Field Headers 


The Options menu in Nsure Audit Report allows you to set your default sort order, query limits, 
date/time format, and clipboard options. 


To bring up the Options menu, click View > Options from the menu bar. 


The following table reviews the selections in the Options menu. 


Description 


The order in which records are sorted in the query results window. 


If you select ascending or descending, the records are sorted by the first column in the output 
which is the source IP address by default. 


The following Clipboard settings determine how query data is copied to the clipboard. 


If no entries are selected when you press Ctrl+C in the Query Results window, all of the query 
information is copied to the clipboard. 


Information is copied to the clipboard exactly as it appears in the database. 


This means that all translated data (including IP addresses, signatures, dates, Severity level, 
Event ID, and other numeric values) are copied in their raw format. For example, a Severity 
level of Emergency would be copied as a 1. 


The field titles defined in the log schema files are copied to the clipboard along with the data in 
their associated fields. 


IMPORTANT: This option requires that you import each logging application's log schema. For 
more information, see “Importing Log Schemas” on page 123. 
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Option 


Column Separation String 


Limits 


Limit Results To __ Rows 


Printing 
Header Font 
Data Font 


Footer Font 


Translation 


Date/Time Format 


RFC822 UTC 


RFC822 


Locale 


Locale Date 


Locale Time 


Binary Data 


Don't Display 


Description 


When records are copied to the clipboard, the text string entered in this field is used to delineate 
the fields within each record. 


This option facilitates cut and paste functions. For example, if you wanted to cut and paste data 
into an Excel spreadsheet, you would use a comma ( , ) delimiter. If you wanted to paste the 
data into tabular columns, you would use a tab delimiter. 


This option limits the number of rows (that is, records) that are returned from a database query. 


This is a global setting. This means that Nsure Audit Report automatically adds this parameter 
to all database queries unless the parameter is expressly defined in the query statement. 


The following options determine which fonts are used to print query results. 
The font used to print the column headers. 
The font used to print the query data (that is, the fields within each record). 


The font used to print the footer in the query results page. The footer contains the page number 
and query string. 


The following options determine how Nsure Audit Report presents date and time information in 
the query results. 


This is a global setting. This means that Nsure Audit Report automatically adds this parameter 
to all database queries unless the parameter is expressly defined in the query statement. 


All time and date information is formatted in RFC822 format, which is is the Internet standard 
format for electronic mail message headers. 


All values are expressed in UTC. 
All time and date information is formatted in RFC822 format. 


All values are expressed in local time as defined in the workstation’s Windows settings. 


All time and date information is formatted according to the standards and formats selected in 
the workstation’s Windows settings. 


All values are expressed in local time as defined in the workstation’s Windows settings. 


All date information is formatted according to the standards and formats selected in the 
workstation’s Windows settings. (Time information is not included.) 


All values are expressed in local date format as defined in the workstation’s Windows settings. 


All time information is formatted according to the standards and formats selected in the 
workstation’s Windows settings. (Date information is not included.) 


All values are expressed in local time as defined in the workstation’s Windows settings. 
Events logged to Novell Nsure Audit include a data field that can contain up to 3072 bytes of 
data. The following options determine how Nsure Audit Report handles the information in the 
event's data field. 


The data field is not included in the query results. 
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Option Description 


Display ASCII The data field is included in the query results and displays in ASCII format. 

Display hex The data field is included in the query results and displays in hexadecimal format. 

Display first __ bytes Limits the amount of information that is included from the data field. The maximum is 3072 
bytes. 


Importing and Viewing Events in Nsure Audit Report 


The Events pane allows you to view logging application properties as well as event data. The 
information provided on applications and their associated events can be used to define query 
statements, Notification Filters, and Heartbeat Notifications. 


NOTE: For an explanation of event fields, see “Event Structure” on page 157. For information on defining 
Notification Filters and Heartbeat Notifications, see Chapter 9, “Configuring Filters and Event Notifications,” on 
page 101. 


Before you can view a logging applications events, however, you must first import its log schema. 
The log schema catalogs the events that can be logged for a given application. It also provides the 
event descriptions and field labels that Nsure Audit Report uses in its reports. For more 
information, see “Log Schema Files” on page 163. 


Importing Log Schemas 


Novell Nsure Audit stores each application’s log schema (LSC) file in its respective Application 
object. (English LSC files are stored under the NAuditAppSchemaEn attribute.) Therefore, when 
you import log schemas, Nsure Audit Report reads the information from the Application objects 
on the designated logging server. 


To import a logging application’s log schema in Nsure Audit Report: 
4 Click File > Import > Application Schemata. 
2 Specify the IP address or host name of the Secure Logging Server. 


If you have multiple logging servers, specify the IP address of the logging server that loads 
the logging system’s Application object configurations at startup. For more information, refer 
to the logging server’s Application Container property. 


3 From the drop-down list box, select which language version of the log schema you want to 
import. 


If an application does not have a log schema for the selected language, Nsure Audit Report 
imports the application’s English log schema. 


When you click OK, Nsure Audit Report connects to the logging server and imports the log 
schemas from all Application objects in the logging server’s supported Application 
containers. For more information, see “Application Objects” on page 78. 


IMPORTANT: Nsure Audit Report writes the log schema files to its cache file, Ireport.Isc, in the Windows 
Home Directory. Therefore, the account you use to log in to Windows XP must have right to the account's 
Windows Home Directory. The Windows Home Directory is defined in the User Profile. For more 
information, see Home Directory in Windows Help. 


4 Click OK in the confirmation dialog box. 
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The Import Confirmation dialog box notes that you must restart Nsure Audit Report before 
the new schemas appear in the Events tab. 


5 Restart Nsure Audit Report. 


The new applications and their associated events now appear in the Events pane. 


Viewing Application Properties and Events 


IMPORTANT: To view events in the Events pane, the account you use to log in to Windows XP must have 
rights to the Windows Home Directory. The Windows Home Directory is defined in the User Profiles. For more 
information, see "Home Directory" in Windows Help. 


To view a logging application’s properties in Nsure Audit Report: 
1 In the Events pane, select an application. 
2 Right-click to bring up the shortcut menu. 
3 Select Properties. 


The Application Properties window displays the following information: 


Attribute Description 


Application Identifier The name assigned to the current application. 


The Application Identifier is also stored in the application's certificate. The 
Application Identifier is part of the Component string for every event logged 
from the current application. For more information, see “Application 
Objects” on page 78. 


Application ID The four-digit hex value assigned to the current application. 


The Application ID is part of the Event ID for every event logged from the 
current application. All Application IDs are assigned through Novell 
Developer Support and are maintained in the Novell Nsure Audit central 
registry. For more information, see “Application Objects” on page 78. 


Description The application description provided in the application’s log schema. 


To view a logging application’s events in Nsure Audit Report: 
1 In the Events pane, expand the application’s folder. 


This exposes the application’s associated events. Only those events cataloged in the 
application’s log schema appear in this list. 


2 Right-click to bring up the shortcut menu. 
3 Select Properties. 


You can also double-click an event to bring up the Event Properties window. 
The Event Properties window displays the Event ID, description, and field information. 


For more information on event fields, see “Event Structure” on page 157. 
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Verifying Event Authenticity in Nsure Audit Report 


To provide non-repudiable logs, Novell Nsure Audit can digitally sign each event that is logged to 
the data store. To sign an event, the logging application or the Platform A gent hashes the event 
data and signs the hash with the Logging Application’s private key. The signature is then stored 
as part of the event.This signature allows the auditor or investigator to determine if an event has 
been changed. 


To allow auditors to determine if an event has been deleted or the sequence of events has been 
changed, Novell Nsure Audit can also chain its event signatures. That is, if event chaining is 
enabled, each event's signature includes its own data as well as the signature from the previous 
event. 


Event chaining is enabled in the Platform Agent’s configuration file, logevent. For information on 
configuring this option, see “Logevent” on page 58. 


If event chaining is enabled, Nsure Audit Report can verify that all the events logged to the data 
store for each logging application are authentic; that is, it can validate the event signatures to 
determine if an application’s events have been tampered with, deleted, or if the sequence of events 
has been changed. 


Future iterations of Nsure Audit Report will allow you to verify individual events. 
To verify that an application’s logged events are authentic: 
4 Click Query > Verify Authenticity. 
Select the database where the events are logged. 
Specify the table where the events are logged. 


Select the logging application for the events you want to validate. 


a A WO N 


If the application is running on multiple systems, specify the IP address or host name of the 
Platform Agent that logged the events you want to verify in the Source Address field. 


6 Ifyou want to filter events, you can enter the component string for the events you want to 
validate in the Optional Filter field. 


7 Specify the path and filename for the Logging Application Certificate. 
Click Browse to locate the Logging Application Certificate in the directory tree. 
8 Click Verify. 


The following table provides more information on the Verify options. 


Option Description 

Database The database containing the events you want to verify. 
Table The table containing the events you want to verify. 
Application The logging application’s events you want to verify. 


In most cases, each logging application has its own certificate. This 
means that event signatures are typically application-specific. 
Therefore, NSure Audit Report verifies event signatures on a per 
application basis. 
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Option Description 


Source Address The IP address or host name of the Platform Agent that logged the 
events you want to verify. 


The only time you need to enter a source address is if the logging 
application is running on multiple systems. This allows Nsure Audit 
Report to identify which event chain to verify. 


Optional Filter Ifyou only want to verify the events for a specific component or 
module within a logging application, you can enter the component's 
Component String. 


For more information on Component Strings, see “Event Structure” 
on page 157 and “Component Strings” on page 162. 


App Certificate The path and filename for the Logging Application Certificate used to 
sign the application's events. 


The Logging Application Certificates for the eDirectory and NetWare 
instrumentations are available in the following directories: 


+ sys:\system\naudit (NetWare) 
+ \program files\novell\nsure audit\logschema\ (Windows) 
+ /opt/novell/naudit//logschema/ (Linux) 


+ /opt/NOVLnaudit/logschema/ (Solaris) 


For the locations of other logging application’s certificates, refer to the 
product documentation. 


After Nsure Audit Report verifies the application’s events, it returns the verification results. 


==| ¥erification of Authenticity 


ne is the first event in the database, but not the first event in the chain. Earlier events are missing. 127.0.0.1 6/10/2003 4:57:06 AM 6/10/20 
2 previous events are missing. 127.0.0.1 6/10/2003 4:57:06 AM ; 6/10/20 
The previous event is missing. 127.0.0.1 6/10/2003 4:57:06 AM 51 6/10/20 
Event has been tampered with. 127.0.0.1 6/10/2003 4:57:06 AM 60 6/10/20 


4996 records Peter's desktop (6/14/20 


If the event chain is authentic, Nsure Audit Report returns a message that the table’s events have 
been verified as authentic.If the event chain is not authentic, Nsure Audit Report lists each problem 
and its associated event. 


There following table provides an explanation for each signature error. 
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Signature Error 


Logging application restarted. This is the first 


Explanation 


The logging application shut down and restarted, so the event count field 


event after the restart, but it cannot be verified if 
events have been removed at the end of the 
previous chain. 


This is the first event in the database, but not the 
first event in the chain. Earlier events are missing. 


The previous event is missing. 


x previous events are missing. 


Event has been tampered with. 


(ClientMS) started again at 0; therefore, the event chain was broken. 


You can determine if the application restart was malicious or not by looking 
at the last event in the previous event chain. Logging applications send an 
event when they are unloaded, so if the last event in the previous event 
chain is an application unload event, you know that no events have been 
deleted. 


The current event is the first event in the database, however, the event 
count field (ClientMS) indicates this is not the first event in the chain. 


This message occurs if you have rolled or expired your data store. You can 
use the following methods to determine if any events are missing: 


+ If you expired your data store, you can look at the current event's time 
stamp to see if it occurred at the time you expired the data store. 


+ If you rolled the data store, you can look at the event count field for the 
last event in the archived data store to determine if it preceded the 
current event. 


The current event's signature does not include the signature from the 
previous event. 


Using the event count field (ClientMS), Nsure Audit Report can determine 
that only the previous event is missing. 


The current event’s signature does not include the signature from the 
previous event. 


Using the event count field (ClientMS), Nsure Audit Report can determine 
approximately how many previous events are missing. 


The current event’s signature is not valid. 


Although it includes the signature from the previous event, the event data 
in the signature does not match the current data. 


Working with Reports in Nsure Audit Report 


In Nsure Audit Report, the term “reports” refers specifically to Crystal Decisions Reports (*.rpt). 
Crystal Decisions Reports graphically summarize specific sets of log data in pie charts, bar charts, 


and so forth. 


Nsure Audit Report allows you to import and run Crystal Decisions Reports. Some logging 
applications might also include their own pre-defined reports. You do not need Crystal Reports to 
run reports; however, if you have Crystal Reports, you can customize the predefined reports or you 
can design your own reports and import those reports into Nsure Audit Report. 


Nsure Audit Report stores the report name and path in the Windows registry under 
HKEY CURRENT_USER\Software\Novell\Log Report Application\1.0\Reports; however, the 
actual report file is stored in the directory structure. 


The following sections discuss working with reports in Nsure Audit Report: 


+ “Importing Reports” on page 128 
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+ “Deleting Reports” on page 128 

+ “Running Reports” on page 128 

¢ “Drilling Down on Report Data” on page 129 
+ “Exporting Reports” on page 129 

+ “Printing Reports” on page 129 


Importing Reports 
To import Crystal Decisions Reports: 

1 In the Reports pane, right-click to bring up the shortcut menu. 

2 Select Insert. 

3 In the Name field, enter the name you want to appear in the Reports pane. 

4 In the File field, enter the path and filename for the Crystal Decisions Report. 
Click Browse to locate the file in the directory tree. 

5 When finished, click OK. 
Nsure Audit Report adds the report to the Reports pane. 


Nsure Audit Report stores the report name and path in the Windows registry under 
HKEY CURRENT_USER\Software\Novell\Log Report Application\1.0\Reports; however, the 
actual report file is stored in the directory structure. 


Deleting Reports 


To delete a Report in Nsure Audit Report: 
1 In the Reports pane, select the report you want to delete. 
2 Right-click to bring up the shortcut menu. 
3 Select Delete. 


Running Reports 
NOTE: You do not need Crystal Reports to run Crystal Decisions Reports in Nsure Audit Report. 
To run a report in Nsure Audit Report: 


1 In the Databases pane, select the database you want to run the report on. 


NOTE: If you do not select a database, the report runs against the default database. For more 
information, see “Defining Your Default Database and Table” on page 121. 


2 In the Reports pane, select the report you want to run. 
3 Right-click and select Run from the shortcut menu. 
Nsure Audit Report opens the report in the Report window. 
4 To update the report with live data, click the Refresh Data button Ed on the Report toolbar. 
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Drilling Down on Report Data 


After you run a report, Nsure Audit Report allows you to drill down on a specific field value. A 
drill-down report returns all records that match the selected field value. 


To run a drill-down report, simply double-click the field value you want to query. 
TIP: The mouse pointer appears as a magnifying glass over drill-down fields. 


When you run a drill-down report, Nsure Audit Report returns all records that match the given field 
value. For example, if you drill down on a SourcelP field that has a value of 192.65.102.159, Nsure 
Audit Report returns all records that have a value of 192.65.102.159 in their SourcelP field. 


Exporting Reports 


Nsure Audit Report can export reports in a variety of formats including Adobe* Acrobat*, HTML, 
Microsoft* Excel, ODBC, Rich Text Format (RTF), Microsoft Word, text, comma-separated 
values (CSV), and XML. 


To export a report in Nsure Audit Report: 
1 Runa report. 
For step-by-step instructions, see “Running Reports” on page 128. 
2 Click File > Export. 


3 Select the file format that you want to export the report to (for example, .pdf, .txt, xml, and 
so forth). 


4 Select the export destination. 
5 Click OK. 
Nsure Audit Report brings up the Save as dialog box. 


6 Specify the export filename, then click Save. 


Nsure Audit Report exports the file in the designated format to the designated path and filename. 


Printing Reports 
To print a report to your default printer: 
1 Run a report. 
For step-by-step instructions, see “Running Reports” on page 128. 


2 Click the Print button on the Report toolbar. 


Working with Queries in Nsure Audit Report 


Nsure Audit Report uses queries to request information from MySQL and Oracle databases. All 
Nsure Audit Report queries are defined in SQL. Although you must be familiar with the SQL 
language to create SQL query statements, this is the most powerful and flexible query method. 


If you are unfamiliar with the SQL language, Nsure Audit Report includes a Query Expert to help 
you define basic query statements. You can also import existing query sets and run them within 
Nsure Audit Report. 
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Nsure Audit Report stores all queries in the Windows registry under 
HKEY CURRENT_USER\Software\Novell\Log Report Application\1.0\Queries . 


The following sections provide details on working with queries in Nsure Audit Report: 
+ “Importing Queries” on page 130 
+ “Creating Manual Queries” on page 112 
+ “Creating Queries Using the Query Expert” on page 131 
+ “Modifying and Deleting Saved Queries” on page 115 
+ “Custom Query Variables” on page 133 
+ “Running Queries” on page 134 
+ “Managing Query Results in Nsure Audit Report” on page 137 
+ “Exporting Query Results in Nsure Audit Report” on page 138 
+ “Printing Query Results in Nsure Audit Report” on page 138 


Importing Queries 


To import existing queries, you must save the queries in a text-based query file. The query file 
format requires that you enclose the title of each query in square brackets [ ]. The query statement 
is on the line following the title. If you want to enable the Translate Column Titles option, enter 
Translate=1 on the line following the query statement. Empty lines are not legal and any line that 
starts with a hash (#) is commented out. 


For information on the Translate Column Titles option, see “Manually Creating Queries” on 
page 131. 


The following is a sample query file. It contains two queries: All Connection Cleared events and 
All Directory Remove events. 


Query File 


All 'Connection Cleared' events] 
SOL=SELECT * FROM log WHERE eventid=655622 
Translate=1 
All 'Directory Remove' events] 

SOL=SELECT * FROM log WHERE eventid=655368 
Translate=1 


To import SQL queries in Nsure Audit Report: 
4 Click File > Import > Query Set. 
2 Select the query file in the directory tree, then click Open. 
The queries contained in the query file now appear in the Query pane. 


All imported queries are stored in the Windows registry under 
HKEY CURRENT_USER\Software\Novell\Log Report Application 1.0 Queries . 
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Manually Creating Queries 


All queries are stored in the Windows registry under 
HKEY CURRENT_USER Software WNovelliLog Report Application\1.0\Queries . 


To manually create a query in Nsure Audit Report: 
4 Click Query > Manual. 
You can also right-click in the Queries pane and select Insert from the quick menu. 
2 In the Name field, specify the name you want to use to refer to this query. 
3 Define the query statement in the Query window. 


4 Mark Translate Column Titles if you want Nsure Audit Report to label the query results with 
the field titles defined in the log schema. 


5 When finished, click OK. 


NOTE: When using mySQL, use the LIMIT statement to prevent an excessively large number of records from 
being returned. Even with a maximum value set in Nsure Audit Report, mySQL returns up to LIMIT records. 


The query now appears in the Queries pane. 


The following table provides further information on the Direct Query options. 


Query Option Description 

Name The name you want to use to refer to this query. 
The query name is listed in the Queries pane and it appears as the title in the query results 
window. 

Query The query statement. 
Queries are defined using the SQL query language. For basic information on SQL queries, see 
“Basic SQL Query Syntax” on page 169. 
If you want your query to dynamically build the FROM clause using the currently selected 
database and table, enter FROM $1 in the query statement. 

Translate Column Titles Mark Translate Column Titles if you want Nsure Audit Report to label the column headings with 


the field titles defined in the log schema. 


We recommend that you mark this option only for queries that return one type of event. If you 
mark this option for queries that return multiple types of events, Nsure Audit Report labels the 
column headings with the field titles from the last event returned in the query. 


IMPORTANT: For this option to work, you must import each application’s log schema. For 
information, see “Importing Log Schemas” on page 123. 


Creating Queries Using the Query Expert 


IMPORTANT: To use the Query Expert, the account you use to log in to Windows XP must have rights to the 
Windows Home Directory. The Windows Home Directory is defined in the User Profiles. For more information, 
see Home Directory in Windows Help. 


If you are unfamiliar with the SQL query language, you can use the Query Expert to help you 
define basic database queries. The Query Expert simplifies the process of creating a query by 
allowing you to choose from lists of predefined parameters. The Query Expert then constructs the 
query statement from the parameters you select. 
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Parameter 
Event 
matches 

is less than 
is more than 
is between 


Events 


Query Expert 


Name: | 


Event Timeperiod | 


[matches v | | y | 


Because the Query Expert can provide only a limited set of parameters, the queries it creates are 
very simple. However, it is the easiest way to create queries and it is capable of creating most base- 
level queries. 


To create a query using the Query Expert in Nsure Audit Report: 
1 Click Query > Expert. 
2 Specify the name you want to use to refer to this query in the Name field. 
3 Define the query parameters. 
3a In the Event menu, define the condition and the event. 
3b In the Timeperiod menu, select a time parameter. 


4 When finished, click OK. 


NOTE: When using mySQL, use the LIMIT statement to prevent an excessively large number of records from 
being returned. Even with a maximum value set in Nsure Audit Report, mySQL returns up to LIMIT records. 


The query now appears in the Queries pane. 


The following table provides further information on the Query Expert’s parameters. 


Description 


The query condition. 


The event parameter. 
The drop-down menu includes all the events for every application listed in the Events pane. 


If the application’s log schema provides event descriptions, Nsure Audit Report displays those 
descriptions in the Event list; however, the events are still sorted by their numeric Event ID. 
Therefore, the event descriptions are not listed in alphabetical order, but related events are 
grouped together. 
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Parameter Description 
Timeperiod The time parameter. 


The query returns only events that occurred in the designated time frame. 


The basic structure of query statements created with the Query Expert is as follows: 


SELECT * FROM table WHERE eventid condition event(s) AND clienttimestamp> $time parameter 


Shortcuts 


The Query Expert provides some quick and easy ways to create queries for all the events in a single 
application or for a single event. 


To create a query for all the events in a single application: 
4 Select an application in the Events pane. 
2 Right-click, then select Define Query. 
3 In the Timeperiod menu, select a time parameter. 
4 Click OK. 
To create a query for a single event: 
4 Expand one of the application folders in the Events pane. 
2 Select an event. 
3 Right-click, then select Define Query. 
4 In the Timeperiod menu, select a time parameter. 


5 Click OK. 


Modifying Queries 
To modify a Query in Nsure Audit Report: 
1 In the Queries pane, select the query you want to modify or delete. 
2 Right-click, then select Properties. 
3 Modify the query. 


For information on the query options, see “Creating Saved Queries” on page 113. 


Deleting Queries 


To delete a Query in Nsure Audit Report: 
41 In the Queries pane, select the query you want to delete. 


2 Right-click, then select Delete. 


Custom Query Variables 


Nsure Audit Report has some custom variables that simplify data queries. The following table lists 
the custom query variables that can used in Nsure Audit Report. 
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IMPORTANT: All query functions must be preceded by a dollar sign ($). 


Function 


Now 


ThisMonth 


Today 


LastWeek 


Yesterday 
Date(mm-dd-yyyy) 
Hex(x) 
IP(address) 


Var(prompt) 


Description 
The currently selected database and table. 


If you want your query to dynamically build the FROM clause using the 
currently selected database and table, enter FROM $1 in the query 
statement. 


The current date and time in local time as defined in the workstation's 
Windows settings. 


The current month in local time as defined in the workstation's Windows 
settings 


The current day in local time as defined in the workstation's Windows 
settings. 


The previous week in local time as defined in the workstation's Windows 
settings. 


Yesterday in local time as defined in the workstation’s Windows settings. 
The given date in local time. 

The decimal value of hex value x 

An IP address in IPv4 dotted address form, or in host name form. 


Prompts the user for a value. When a query containg this variable is run, 
the user is prompted to input a value based on prompt. 


For example, select * from $1 where text2=’ $Var (User 
Name) ’, prompts the user for a “User Name” value which replaces the 
Var(prompt) variable. 


The following sample query statement illustrates how the query variables can be used: 
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SELECT * FROM $1 WHE 


RE eventid=131073 AND clienttimestamp>SWEEK 


To run a query in Nsure Audit Report: 


1 Select the database you want to query. 
a Click the Database field on the Status bar. 


1b Select the default database from the list. 


2 Select the table you want to query. 
2a Click the Table field on the Status bar. 


2b Select the default table from the drop-down list, then press Enter. 


3 In the Queries pane, select the query you want to run. 


4 Right-click, then select Run. 
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Nsure Audit Report returns the query results in a data table; rows represent individual records and 
columns represent fields within those records. You can click any of the column headings to sort 
the results by that field. 


EJ Nsure Audit Report - [All] 


EB Eile Edit Query View Window Help -laj x} 
ope fe] Se En? 


| SourcelP | Client Timestamp Clientms | ServerTimestamp | Component | EventID | Severity | Grouping | | 


192.108.102.142 6/7/2003 12:09:59 AM O 6/7/2003 12:09:25 AM NetMail imapd.nlm Authentication 131075 Info 
192,108,102,142 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM_ NetMail pop3d.nim Authentication 131075 Info 
192.108.102.142 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM NetMail pop3d.nim Authentication 131075 Info 
192.108.102.142 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM NetMail pop3d.nlm Authentication 131075 Info 
192,108,102,142 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM NetMail imapd.nim Authentication 131075 Info 
192.108.102.142 6/7/2003 12:09:59 AM 6/7/2003 12:09:26 AM NetMail pop3d.nim Authentication 131075 Info 
192.108.102.142 6/7/2003 12:09:59 AM 6/7/2003 12:09:26 AM NetMail pop3d.nlm Authentication 131075 Info 
192.108.102.142 6/7/2003 12:09:59 AM 6/7/2003 12:09:26 AM NetMail imapd.nlm Authentication 131075 Info 
192.108.102.142 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM_ NetMail pop3d.nlm Authentication 131078 Notice 
192.108.102.142 6/7/2003 12:09:58 AM 6/7/2003 12:09:25 AM_ NetMail pop3d.nlm Authentication 131099 Info 
192.108.102.142 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM_ NetMail imapd.nim Authentication 131099 Info 
192.108.102.142 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM_ NetMail pop3d.nlm Authentication 131099 Info 
192,108,102,142 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM NetMail pop3d.nim Authentication 131099 Info 
192,108,102,142 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM NetMail pop3d.nim Authentication 131099 Info 
192,108,102,142 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM_ NetMail imapd.nim Authentication 131099 Info 
192.108.102.142 6/7/2003 12:09:59 AM 6/7/2003 12:09:26 AM_ NetMail pop3d.nim Authentication 131099 Info 
192.108.102.142 6/7/2003 12:09:59 AM 6/7/2003 12:09:26 AM NetMail modwebd.nim Authentication 131099 Info 
192.108.102.142 6/7/2003 12:09:59 AM 6/7/2003 12:09:26 AM NetMail pop3d.nim Authentication 131099 Info 
192.108.102.143 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM_ NetMail smtpd.nim Authentication 131078 Notice 


192.108.102.143 6/7/2003 12:09:58 AM 6/7/2003 12:09:25 AM_ NetMail smtpd.nim Queue 131093 Info 
192,108,102,143 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM_ NetMail smtpd.nim Queue 131093 Info 
192.108.102.143 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM NetMail smtpd.nim Queue 131093 Info 
192.108.102.143 6/7/2003 12:09:59 AM 6/7/2003 12:09:26 AM NetMail smtpd.nim Queue 131093 Info 
192.108.102.143 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM NetMail smtpd.nim Queue 131095 Info 
192.108.102.143 6/7/2003 12:09:59 AM 6/7/2003 12:09:25 AM NetMail smtpd.nim Queue 131095 Info 
192.108.102.143 6/7/2003 12:09:59 AM 6/7/2003 12:09:26 AM NetMail smtpd.nim Queue 131095 Info 
192.108.102.143 6/7/2003 12:09:59 AM 6/7/2003 12:09:26 AM NetMail smtpd.nim Queue 131095 Info 
192.108.102.143 6/7/2003 12:09:59 AM 6/7/2003 12:09:26 AM NetMail smtpd.nim Queue 131095 Info 
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If you marked the Translate Column Titles option when you defined the query, Nsure Audit Report 
labels the query results with the field titles defined in the log schema. Nsure Audit Report also 
displays each event’s field titles as you mouse over the event fields. 


NOTE: We recommend that you mark only the Translate Column Titles option for queries that return one type 
of event. If you mark this option for queries that return multiple types of events, Nsure Audit Report labels the 
column headings with the field titles from the last event returned in the query. For more information on the 
Translate Column Titles option, see “Manually Creating Queries” on page 131. 


Running Event Distributions 


Event Distributions tell you how many times each type of event has occurred for a given 
application. For example, if you run an Event Distribution for NetWare, NSure Audit Report 
returns the number of times each event listed in the NetWare log schema occurred. 


To run an Event Distribution in Nsure Audit Report: 
1 Select the database you want to query. 
a Click the Database field on the Status bar. 
1b Select the default database from the list. 
2 Select the table you want to query. 
2a Click the Table field on the Status bar. 
2b Select the default table from the drop-down list, then press Enter. 


3 In the Events pane, select an application. 
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Counting Events 


4 Right-click, then select Distribution. 


Nsure Audit Report returns the number of times each of the application’s events occurred in the 
selected database. 


==| Distribution of Events for App NetMail" 


EventID count EventID a 


Bad Password 10486 
Unhandled Request 188053 
Login 682838 
Max Bad Passwords 21 
Unknown User 30238 
Password Change 152 
Secret Change 42 
Account Created 139 
Account Disabled 3 
Message Received 208401 
Message Sent 55743 
Connection Blocked 157572 
Recipient Blocked 80990 
Message Relayed 10253 
Recipient Limit Reached 10913 
New Connection 1369010 
Spam Blocked 164 

Virus Blocked 1577 

Message forwarded 10013 zi 


36 records Ontario (6/14/2003 12:03:20PM 4 


The Distribution window lists the Event ID and how many times that Event ID occurred. To sort 
on the Event ID, click the Event ID column. To sort by the number of occurrences, click the Count 
column. 


NOTE: If the application’s log schema provides event descriptions, Nsure Audit Report displays those 
descriptions in the Event ID column. However, when you sort on the Event ID column, events are sorted by 
their numeric Event ID, not by their description. Consequently, the event descriptions are not listed in 
alphabetical order, but related events are grouped together. 


If you want to know how many events have been logged for a given application, or the number of 
occurrences for a specific event, you can run an event count. An event count simply returns the 
number of events logged to the current database. 


To run an event count for a logging application in Nsure Audit Report: 
1 Select the database you want to query. 
1a Click the Database field on the Status bar. 
1b Select the default database from the list. 
2 Select the table you want to query. 
2a Click the Table field on the Status bar. 
2b Select the default table from the drop-down list, then press Enter. 
3 Select an application in the Events pane. 
4 Right-click, then select Count. 


Nsure Audit Report returns the total number of events that have been logged for the selected 
application. 
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To run an event count for a single event: 
1 Select the database you want to query. 
a Click the Database field on the Status bar. 
1b Select the default database from the list. 
2 Select the table you want to query. 
2a Click the Table field on the Status bar. 
2b Select the default table from the drop-down list, then press Enter. 
3 Expand an application folder in the Events pane. 
4 Select one of the application’s events. 


5 Right-click, then select Count. 


Nsure Audit Report returns the total occurrences of the selected event. 


Managing Query Results in Nsure Audit Report 


After it returns the query results, Nsure Audit Report allows you to further process the data by 
dynamically sorting records, running drill-down queries, copying specific records, and viewing 
event properties. 


Sorting Records 


To sort the query results by a specific field, click the corresponding field heading. Nsure Audit 
Report toggles between ascending and descending order. The first time you click, Nsure Audit 
Report sorts the records in ascending order. If you click again, it sorts the record in descending 
order, and so forth. 


Drilling Down on Query Data 


After you run a report, Nsure Audit Report allows you to drill down on a specific field value. A 
drill-down report returns all records that match the selected field value. 


To run a drill-down query: 
4 Position your mouse pointer over the field value you want to query. 
2 Right-click, then select Drill-down. 


Nsure Audit Report returns all records that match the selected field value. For example, if you 
drill-down on a SourcelP field that has a value of 192.65.102.159, Nsure Audit Report returns all 
records that have a value of 192.65.102.159 in their SourcelP field. 


Copying Records 
To copy specific records from the query results: 
4 Select the records you want to copy. 
da Shift-click to select contiguous records. 
1b Ctrl-click to select non-contiguous records. 
2 Right-click, then select Copy. 


You can also press Ctrl+C. 
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The query data can be copied to the Windows Clipboard in raw format, it can have field delimiters, 
and it can include field headers. How information is copied to the Windows Clipboard is managed 
through the Clipboard settings in the Nsure Audit Report Options menu. For more information, see 
“Setting Default Options in Nsure Audit Report” on page 121. 

NOTE: If the Copy All if No Entries Selected option is marked in the Options menu, you can copy all the 
records in the query results window by not selecting any records and pressing Ctrl+C. 


Viewing Individual Records 
To view a specific a specific record’s properties: 
4 Select the record you want to view. 
2 Right-click, then select Properties. 


You can also double-click the record. 


Exporting Query Results in Nsure Audit Report 


Nsure Audit Report can export query results in the following formats: 
+ HTML (*.htm) 
+ Comma-separated values (*.csv) 
+ Text (tab-delimited) (*.txt) 
To export query results in Nsure Audit Report: 
1 Run a query. 
For step-by-step instructions, see “Running Queries” on page 134. 
2 Click File > Export. 
3 In the Export Results dialog box, define the export file”s path and filename. 
4 Click the Save As Type drop-down list, then select the export format. 
5 Click Save. 


Exporting Specific Records 
1 Select the records you want to export. 
a Shift-click to select contiguous records. 
1b Ctrl-click to select non-contiguous records. 


2 Click File > Export. 


Printing Query Results in Nsure Audit Report 
To print the query results to your default printer: 
1 Run a query. 
For step-by-step instructions, see “Running Queries” on page 134. 
2 Click File > Print. 


You can also right-click, then select Print. 
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Printing Specific Records 
To print specific records from the query results: 
4 Select the records you want to print. 
fa Shift-click to select contiguous records. 
1b Ctrl-click to select non-contiguous records. 
2 Click File > Print. 


You can also right-click, then select Print. 


Working with Data Logged by the File Channel 


The File channel allows the logging server to log events directly to file, rather than logging to a 
database. The file channel can log a large number of events per second, but it cannot be queried 
using standard tools to extract data. 


To view data logged by the file channel: 
1 If your log file is in raw format, use the letrans utility to convert it to human-readable format. 
2 Open the log file in an application that supports delimited text files, such as Microsoft Excel. 


3 Use the log schema file for the application which logged the events to determine the contents 
of each column. Additional information on log schema files is contained in “How LSC Files 
Are Used” on page 164. 


Generating Queries and Reports 139 


140 Novell Nsure Audit 1.0.1 Administration Guide 


Security and Non-Repudiation 


Novell® Nsure™ Audit leverages digital certificates and signatures to ensure your log files are 
valid and non-repudiable. This section includes the information you need to authenticate your 
logging applications and validate your data store’s record of events. 


+ “Authenticating Logging Applications” on page 141 

+ “Signing Events” on page 143 

+ “Creating the Secure Logging Certificate” on page 144 

+ “Creating Logging Application Certificates” on page 145 
+ “Validating Certificates” on page 146 


Authenticating Logging Applications 


The Secure Logging Server uses digital certificates and Application IDs to verify the identity of 
all its logging applications. In fact, the Secure Logging Server only accepts connections from 
applications that have a valid Logging Application Certificate and Application Identifier. This 
ensures that unknown or spoofed entities cannot submit events to the data store. 


NOTE: The Application Identifier is the name the logging application uses to identify itself to the logging server. 
The Application Identifier is stored in the application’s certificate and Application object. For more information, 
see “Application Objects” on page 78. 
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Logging Secure 
Application Logging 
Certificate Certificate 


. Secure 
Logging 
Application ee 


Platform 
Agent 


The basic authentication process is as follows: 
1. The logging application calls the Platform Agent. 
2. The Platform Agent submits the application’s certificate to the Secure Logging Server. 


3. The Secure Logging Server validates the certificate and verifies the Application Identifier 
stored in the certificate. 


¢ A valid Logging Application Certificate must be signed with the Secure Logging 
Server’s own certificate. 


¢ A valid Application Identifier must be associated with an Application object in one of the 
Secure Logging Server’s supported Application containers. 


4. Ifthe certificate and the Application ID are valid, the Secure Logging Server accepts the 
logging application's connection. 


5. The logging application begins to log events. 


The Secure Logging Server’s certificate (the Secure Logging Certificate) is the logging system’s 
root certificate; that is, it is used to sign certificates for all the logging applications. Every 
instrumented application must have a certificate signed by the Secure Logging Server’s certificate. 


The Secure Logging Server and all logging applications ship with their own embedded certificates. 
Using these certificates, the Secure Logging Server is able to validate each logging application’s 
identity; however, the embedded certificates are not necessarily “secure” because the same 
certificates are distributed with every copy of the software. 
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If you want to further secure your logging system, you can use custom certificates generated with 
the AudCGen utility. To generate your own certificates, see “Creating the Secure Logging 
Certificate” on page 144 or “Creating Logging Application Certificates” on page 145. 


Signing Events 


Logging is an effective and useful way to determine what is happening on your system. The 
resulting data can be used for many administrative activities, including troubleshooting, usage 
characterizations (determining how people are using a system), and determining the cause (or 
responsible party) of an undesirable event. 


However, 1f you are trying to hold someone accountable for an undesirable event (such as 
accessing unauthorized information or sabotaging data), standard unprotected logs can be 
insufficient. This is because individuals can tamper with logs to delete any trace of their actions or 
to imply another cause for the event. Alternatively, an individual might simply claim that the logs 
have been tampered with, even if they haven't. Either case makes it difficult to hold an individual 
accountable for an event, especially if the individual in question is a system administrator who has 
access to the logs or has the ability to generate counterfeit events. 


For this reason, any logging system that is used for forensic evidence must provide non- 
repudiation. In other words, the system must, at a minimum, be able to prove that logs have not 
been tampered with so that a clear tie to the responsible party can be made. 


Nsure Audit achieves non-repudiation by digitally signing each event that is logged to the data 
store. To sign an event, the logging application or the Platform Agent hashes the event data and 
signs the hash with the Logging Application’s private key. The signature is then stored as part of 
the event. This signature allows the auditor or investigator to determine if an event has been 
changed. To validate an event, the signature process is simply repeated and the two signatures are 
compared. If the signatures match, the event is valid; if not, the event has been tampered with. 


To allow auditors to determine if an event has been deleted or if the sequence of events has been 
changed, Nsure Audit can chain its event signatures. That is, if event chaining is enabled, each 
event’s signature includes its own data as well as the signature from the previous event. To validate 
the event chain, all the logged events for a single application are re-signed and the event signatures 
are compared. If an event has been deleted or the sequence of events has been changed, the 
signatures in the chain will not match. 


NOTE: Event chaining is enabled in the Platform Agent’s configuration file, logevent. For information on 
configuring this option, see “Logevent” on page 58. For information on validating events in Nsure Audit Report, 
see “Verifying Event Authenticity in Nsure Audit Report” on page 125. 


Using digital signatures and event chaining, auditors can prove with certainty that specific events 
did in fact occur. If a log includes the events and the events’ digital signatures confirm that the log 
has not been modified, that log can be used as non-repudiable forensic evidence in disciplinary or 
legal proceedings. 


For example, let’s say that an employee (Joe) has been accused of insider trading. To prove this 
charge, the company must be able to provide evidence that Joe accessed financial information that 
then influenced his stock trades. The investigator audits the logs to determine if and when Joe 
accessed the financial information. The log events show that Joe did indeed access the financial 
information before making the stock trades in question. If Joe denies the allegation, the 
investigator can show that digital signatures have been used, that the signatures on the events are 
valid, and that the logged events indicate that Joe performed the action. 
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Creating the Secure Logging Certificate 


In the current iteration of Novell Nsure Audit, the Secure Logging Certificate is the system’s 
Certificate Authority (CA); that is, it is the trusted, root certificate that is used to validate all other 
certificates. Therefore, the Secure Logging Certificate is self-signed and it is used to sign all 
Logging Application Certificates. 


NOTE: Future iterations will be able to use secure certificates from an external CA. 


To generate a Secure Logging Certificate, enter the following command at the command prompt: 


audcgen -cert: filenam pkey: filename [-f] [-bits:number] [-serial:number] -ss 


The following table reviews each of the command parameters: 


Parameter Description 
-cert: filename The output path and filename for the Secure Logging 
Certificate. 


The default path and filename is \cacert.pem . 


-pkey: filename The output path and filename for the Secure Logging 
Certificate’s private key. 


The default path and filename is \capkey.pem . 
[-f] Force overwrite. 


AudCGen overwrites any existing certificates or private keys of 
the same name (for example, cacert.pem or capkey.pem) in 
the output directory. 


This parameter is optional. 


If you do not use the -f parameter and there is an existing file, 
AudCGen aborts creation of the certificate. 


[-bits: number] The number of bits for the certificate. 


The default is 512; however, Nsure Audit can handle 
certificates up to 1472 bits. The Platform Agent rejects 
certificates larger than 1472 bits. 


[-serial: number] This parameter assigns a serial number to the current 
certificate. You can use this option to keep track of your 
system’s certificates. 


This parameter is optional. 


-SS Self-sign. 


AudCGen generates a self-signed CA certificate and key. 


The following is a sample command to create a Secure Logging Certificate: 


audcgen -cert:c:\cacert.pem -pkey:c:\capkey.pem -f -bits:512 -serial:12345 -ss 
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Configuring the Secure Logging Server to Use a Custom Certificate 


To enable the Secure Logging Server to use a custom certificate and private key, you must 
configure the Secure Logging Certificate File and Secure PrivateKey File attributes on the 
Logging Server object. For more information, see “Logging Server Objects” on page 61. 


Creating Logging Application Certificates 


To generate a Logging Application Certificate, enter the following command at the command 
prompt: 


audcgen -cert: filenam pkey: filename [-f] [-bits:number] [-serial:number] -—appcert: filename 
-apppkey: filename -app:Application_Identifier 


The following table reviews each of the command parameters: 


Parameter Description 


-cert : filename The path and filename to the Secure Logging Certificate that 
AudCGen uses to sign the Logging Application Certificate. 


The default path and filename is \cacert.pem . 


-pkey: filename The path and filename to the Secure Logging Certificate's 
private key. 


The default path and filename is \capkey.pem . 


[-f] Force overwrite. 


AudCGen overwrites any existing certificates or private keys of 
the same name (for example, appcert.pem or apppkey.pem) in 
the output directory. 


This parameter is optional. 


If you do not use the -f parameter and there is an existing file, 
AudCGen aborts creation of the certificate. 


[-bits:number] The number of bits for the certificate. 


The default is 512; however, Nsure Audit can handle 
certificates up to 1472 bits. 


[-serial: number] This parameter assigns a serial number to the current 
certificate. You can use this option to keep track of your 
system’s certificates. 


This parameter is optional. 


-appcert: filename The output path and filename for the Logging Application 
Certificate. 


The default path and filename is /appcert.pem . 


apppkey: filenam The output path and filename for the Logging Application 
Certificate. 


The default path and filename is /apppkey.pem . 
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Parameter Description 
-app:Application_Identifier The logging application's Application Identifier. 
This value must match the Application Identifier stored the 


logging application's Application object. 


The following is a sample command to create a Logging Application Certificate for the Novell 
eDirectory™ Instrumentation: 


audcgen -cert:c:\cacert.pem -pkey:c:\capkey.pem -f -bits:512 -serial:12345 
-appcert:c:\appcert.pem -apppkey:c:\apppkey.pem -app:eDirInst 


Enabling Logging Applications to Use Custom Certificates 


The process of enabling a logging application to use a custom Logging Application Certificate can 
vary per application. Please refer to the logging application’s documentation. 


To enable the eDirectory Instrumentation to use a custom Logging Application Certificate, the 
path and filename for the certificate and private key files must be as follows: 


Platform Certificate Path and Filename PrivateKey Path and Filename 
NetWare® \system\dsicert.pem \system\dsipkey.pem 

Windows \windows_directory\dsicert.pem \windows_directory\dsipkey.pem 
Linux and Solaris /etc/dsicert.pem /etc/dsipkey.pem 


The NetWare Instrumentation requires \system\nwicert.pem and \system\nwipkey.pem . 


The NAudit Instrumentation uses the Secure Logging Certificate and private key configured on 
the Logging Server object. 


Validating Certificates 
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In the Nsure auditing system, all certificates must be signed by the Secure Logging Certificate and 
they must contain an Application Identifier. 


To determine if a certificate is valid, enter the following command: 


audcgen -cert: filenam pkey: filename -v -out:target_certificate 


The following table reviews each of the command parameters: 


Parameter Description 


-cert: filename The path and filename for the Secure Logging Certificate that 
AudCGen uses to validate the certificate. 


The default path and filename is /cacert.pem . 


-pkey: filename The path and filename for the Secure Logging Certificate’s 
private key. 


The default path and filename is /capkey.pem . 
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Parameter Description 


-v Validate. 


AudCGen validates the certificate designated in the -out 
parameter. 


-out :target_certificate The path and filename for the certificate you want to validate. 
The following is a sample command to validate the Logging Application Certificate for the 


eDirectory Instrumentation: 


audcgen -cert:c:\cacert.pem -pkey:c:\capkey.pem -v -out:c:\windows\dsicert.pem 
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Troubleshooting NSure Audit 


This section reviews the common issues you might encounter in Novell® Nsure™ Audit or its 
associated utilities. It also covers how to uninstall Novell Nsure Audit. 


+ “Common Issues” on page 149 

¢ “Verifying the Secure Logging Server Configuration” on page 154 

+ “Using the NetWare Instrumentation with Anti-Virus Products” on page 154 
+ “Uninstalling Novell Nsure Audit” on page 154 


Common Issues 


This section lists common issues you might encounter with Novell Nsure Audit. These include: 
+ “Secure Logging Server Does Not Load” on page 149 
+ “Events Are Not Being Logged” on page 151 
+ “Notifications Are Not Being Executed” on page 152 
+ “Volume Quickly Runs Out of Disk Space” on page 153 
+ “The Host Running the Platform Agent is Running Out of Memory” on page 153 
+ “Nsure Audit MySQL Returns a Cannot Open File Error” on page 154 
+ “MySQL on Linux Returns a Socket Connection Error” on page 154 


Secure Logging Server Does Not Load 


If the Secure Logging Server does not load, check the log for any errors that occurred during 
startup. 


» On NetWare®, check the console log (4.x/5.x) or logger screen (6.x) for any errors during 
load. 


+ On Windows, check the \nproduct.log file for any errors that were logged during startup. 


+ On Linux and Solaris, check the screen for any errors that were printed during load. 


The following table reviews the problems that might prevent the Secure Logging Server from 
loading. 
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Cause Explanation/Solution 


The driver for the default log channel could not If this is the case, the Secure Logging Server will abort loading. This is done 
be loaded/Could not initialize logging subsystem to ensure that the administrator is aware of this potentially serious condition. 


Solution 


Check the error message and fix the indicated problem. For example, if the 
MySQL driver cannot connect to the MySQL server, load the MySQL server. 


Could not authenticate to MDB. This error occurs if the Secure Logging Server cannot successfully initialize 
the MDB interface or if the host is not configured to run the Secure Logging 
Server. MDB is the directory interface used by Nsure Audit. For more 
information, see “Program Files” on page 185. 


Solution 
+ Ensure that eDirectory is working properly on the host. 


+ Configure the host to run the Secure Logging Server. 


Not enough memory During startup, the Secure Logging Server allocates memory for its own 
operation and for the event cache. If this memory cannot be allocated, the 
Secure Logging Server will terminate. 


Solution 


+ Check your Secure Logging Server configuration and adjust the cache 
settings accordingly. 


+ Unload unneeded modules loaded during startup. 
The server cannot log in to the database. The Secure Logging Server cannot log in to the data store. 
Solution 


Ensure that your MySQL password is correct. Try logging into the MySQL 
monitor using the exact settings that are configured on the MySQL channel. 
For example if the MySQL server IP address is 151.155.167.249, the 
surname is auditusr, and the password is auditpwd, log in to the MySQL 
monitor with the following syntax: 


mysql -h 151.155.167.249 -u auditusr -p 


If you cannot log in, then the MySQL rights are probably not set up correctly. 
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Events Are Not Being Logged 


The following table reviews the problems that might prevent events from being logged. 


Cause 


The logging application is logging events to 
cache 


A component is misconfigured 


Explanation/Solution 


If a logging application loads the Platform Agent while the Secure Logging 
Server is not, or not yet, loaded, its events will be logged to the Platform 
Agent's Disconnected Mode Cache. 


By default, the Platform Agent tries to reconnect to the Secure Logging 
Server only every ten minutes. The Logging Cache Module, on the other 
hand, tries to upload its cached files to the Secure Logging Server every two 
minutes. 


Solution 
Wait for the Platform Agent to reconnect to the Secure Logging Server. 


For information on changing the Platform Agent's reconnect interval, see 
“Logevent” on page 58. 


If you don't see the events after the configured upload interval, verify that 
your configuration is correct. 


There can be a misconfiguration on the Platform Agent or the Secure 
Logging Server that prevents events from being logged. 


Solution 


+ On the Platform Agent, verify that the LogHost specified in the logevent 
file points to the intended server. For information on configuring the 
Platform Agent's LogHost parameter, see “Logevent” on page 58. 


+ Verify that the computer where the platform agent is running can actually 
reach the loghost via TCP/IP. (A ping will quickly tell.) 


+ Ifthe logging application logs only debug level events, check whether the 
LogDebug option is set to Never, in which case the Platform Agent will 
not send debug level events to the server. For information on configuring 
the Platform Agent's LogDebug parameter, see “Logevent” on page 58. 


+ Ifthe logging application and Secure Logging Server are using custom 
certificates, make sure that the Logging Application Certificate has been 
signed with the Secure Logging Certificate. For more information, see 
Chapter 11, “Security and Non-Repudiation,” on page 141. 
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Cause 


A component is misconfigured continued 


Explanation/Solution 


If a single application is not logging events, 


+ 


Make sure that the application has an Application object in one of the 
Secure Logging Server’s supported Application containers. For more 
information on Application objects, see Chapter 7, “Managing 
Applications that Log to Nsure Audit,” on page 77. 


Verify that the Application Identifier property in the Application object 
matches the Application Identifier stored in the logging application’s 
certificate. For information on Application Identifiers, see “Application 
Objects” on page 78. 


If you recently created an Application object, you must restart the logging 
server to load the Application object's configuration. For information on 
restarting the logging server, see “Secure Logging Server Startup 
Commands” on page 176. 


Make sure that the Application container where your Application object is 
located is included in the logging server's list of supported Application 
containers. For information on the logging server's Application container 
property, see “Logging Server Objects” on page 61. 


Notifications Are Not Being Executed 


The following table reviews the problems that might prevent notifications from being executed. 


Cause 


A component is misconfigured. 


Explanation/Solution 


There can be a misconfiguration on the Platform Agent or the Secure 
Logging Server that prevents events from being logged. 


Solution 


+ 


Make sure that the Notification container where your Notification Filter 
object is located is included in the logging server's list of supported 
Notification containers. For information on the logging server's 
Notification container property, see “Logging Server Objects” on 

page 61. 


Ensure that the Notification object has a notification channel. For more 
information on the Notification Channels property, see “Notification 
Filters” on page 102. 


Check the console or the startup log to determine if the driver for the 
notification channel is being loaded. 


Verify that the Notification Filter is configured to select the events you 
want to trigger the notification. 
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Volume Quickly Runs Out of Disk Space 


The following table reviews the problems that might cause your data store volume to fill up 


quickly. 


Cause 


You aren't cycling the data store. 


You are logging ubiquitous events. 


The data store volume is too small to 
accommodate your logging system traffic. 


Explanation/Solution 


Implement the available log-management functions. 


+ Configure the File Channel object to roll and purge logs. For more 
information, see “File Channel Object” on page 86. 


+ Configure the MySQL Channel object to expire the database. For more 
information, see “MySQL Channel Object” on page 90. 


Review your file system, eDirectory, and NetWare event settings on the 
NCP Server object and possibly disable some often-occurring events to 
avoid filling up your disk subsystem too quickly. 


The space you need for your database depends on a number of factors 
which include, but are not limited to, how many events per second you are 
storing and how long you want to keep the data. 


To determine the required volume size for your logging system, log the 
desired events for about an hour during your host's peak utilization. Use the 
consumed disk space as a basis to calculate your logging system's required 
volume sizes. 


For some general statistics on MySQL data stores, a logging system that 
generates around 80 events per second with an average event size of 80 
bytes will consume approximately 500 MB of disk space for the database 
table and 150 MB for the index in a 24-hour period. 


The Host Running the Platform Agent is Running Out of Memory 


The following table reviews the problems that might cause the host running the Platform Agent to 


run out of memory. 


Cause 


The Disconnected Mode Cache has run out of 
disk space. 


The Disconnected Mode Cache and data store 
are on the same volume. 


Explanation/Solution 


When the Secure Logging Server is not available, the Platform Agent's 
Logging Cache module writes incoming events to the Disconnected Mode 
Cache on disk. Ifthe Disconnected Mode Cache runs out of disk space, the 
Logging Cache module falls back to memory. 


If you are running the eDirectory Instrumentation or the NetWare 
Instrumentation on the same host as the Secure Logging Server, you should 
ensure that the Platform Agent's Disconnected Mode Cache and the Secure 
Logging Server's data store are not on the same volume. 


Otherwise, if the volume fills up, you will have a total logging failure. The 
Platform Agent will have no room for the Disconnected Mode Cache and the 
Secure Logging Server will have no place to log events. 
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Nsure Audit MySQL Returns a Cannot Open File Error 


Ifthe MySQL database returns error number 145, Cannot Open File, you might need to repair the 
MySQL database. See Appendix B, “Using MySQL with Nsure Audit,” on page 167 for details on 
accessing the MySQL documentation to perform this procedure. 


MySQL on Linux Returns a Socket Connection Error 


Ifthe MySQL database on Linux returns the following error message: 


Can't connect to local MySQL server through socket '/temp/mysql.sock' (2) 2002 


Open /etc/my.cnf in a text editor and change the socket path to /Imp/mysql.sock . 


Verifying the Secure Logging Server Configuration 


To verify the configuration used by the Secure Logging Server, review the Audit the Auditor 
events logged to the data store. 


The NAudit Instrumentation logs an event every time the Secure Logging Server loads a Channel, 
Notification, or Application object. It also logs an event each time a Channel driver fails to load 
or there is a bad Heartbeat or Notification configuration. Therefore, by reviewing your system’s 
Audit the Auditor events, you can determine if your logging server is performing the way you 
expect. 


For a complete list of Audit the Auditor events, see the NAudit LSC File (http://www.novell.com/ 
documentation/lg/nsureaudit/html/naud_en.htm) 


To review the Audit the Auditor events, you can query the events in ¡Manager or Nsure Audit 
Report. For more information, see “Defining Queries in iManager” on page 111 or “Working with 
Queries in Nsure Audit Report” on page 129. 


Using the NetWare Instrumentation with Anti-Virus Products 


The NetWare Instrumentation, AuditNW, must be loaded any anti-virus product or the server will 
appear to hang and will have to be hard-reset. 


Uninstalling Novell Nsure Audit 


1 Launch Auditext at the server console. 
da On NetWare, enter sys: \system\auditext .nlm 
1b On Windows, enter \program files\novell\nsure audit\auditext.exe 
Ac On Linux, enter /opt /novell/naudit/auditext 
1d On Solaris, enter /opt /NOVLnaudit /auditext 
2 Specify your admin username and password. 
3 Select Remove Schema Extensions, then press Enter. 


AuditExt removes the Logging Services container and all of its objects. 


IMPORTANT: Nsure Audit objects located outside the Logging Services container must be manually 
deleted. 


154 Novell Nsure Audit 1.0.1 Administration Guide 


4 Exit the AuditExt utility. 


5 Remove the Nsure Audit Program files. 


5a On NetWare, delete the following files and directories: 


+ 


+ 


+ 


+ 


+ 


sys:\system\naudit\ 
sys:\system\webadmin 
auditagt.ncf 

auditDS.nlm 

auditext.nlm 

auditN W.nlm 

auditsvr.ncf 

Disconnected Mode Cache directory 
Icache.nlm 

lengine.nlm 

channel drivers (igd*.nlm) 
logevent.nlm 

logevent.cfg 

LSC files (*.Isc) 

mdb.nlm 


webadmin.nlm 


For the location of these files and directories, see “Program Filenames and Directories” 
on page 188. 


5b On Windows: 


+ 


Click Start > Settings > Control Panel > Add or Remove Programs to launch the Add 
or Remove Programs wizard. 


Select Novell Nsure Audit and click Change/Remove. 
In the InstallShield Wizard, select Remove and click Next. 


In the confirmation dialog, click OK to remove Novell Nsure Audit and its installed 
components from your system. 


5c On Linux, enter the following: 


+ 


+ 


+ 


+ 


rpm -e novell-AUDTlogserver-1.01 
rpm -e novell-AUDTplatformagent-1.0.1 
rpm -e MDB-1.0.1 


rpm -e novell-AUDTedirinst-1.0.1 


5d On Solaris, enter the following: 


+ 


+ 


+ 


+ 


pkgrm NOVLaudit 
pkgrm NOVLaudpa 
pkgrm WebAdmin 
pkgrm NOVLmdb 
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Log Events 


All events logged through Novell® Nsure™ Audit have a fixed set of fields. This section reviews 
event structure and its corollary information including event variables, application component 
strings, and log schema files. 


+ “Event Structure” on page 157 
+ “Event Variables” on page 160 
+ “Component Strings” on page 162 


+ “Log Schema Files” on page 163 


Event Structure 


All events logged through Nsure Audit have a standardized set of fields. This allows Nsure Audit 
to log events to a structured database and query events across all logging applications. 


The following diagram calls out the fields that make up a logged event. It also indicates the 
maximum size of each field. Depending on the amount of information stored in each field, events 
can be as large as 4.5 KB. 


LogLevel IP Client ClientMS Server 


Component EventID: Grouping (Severity) Address Timestamp Timestamp 


eDirInst\Object 000B0001, o, Lady 0...012, 0...011, omor 


32-bit 32-bit 


Text1 Value1 Value2 5 A Data Signature 


The following table explains each event field. 
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Event Field 


Component 


Component continued 


EventID 


GroupID 


158 


Novell Nsure 


Description 


The component string is formatted like a DOS pathname, with a backslash ( \ ) separating 
component parts. 


For example: 
\eDirectory\Database\Lookup 
\iChain\Connection Manager\Authentication 
\NetMail\POP3\Authentication 


The first part of the component string is the Application Identifier. The Application Identifier is the 
string the logging application uses to identify itself to the logging server. The Application Identifier is 
stored in the application’s certificate and Application object. 


When the Secure Logging Server authenticates an application’s connection with the Platform Agent, 
it associates the Application Identifier with that connection. Thereafter, it automatically adds the 
Application Identifier to the component string for every event coming from that connection. 


For more information on application certificates and authentication, see Chapter 11, “Security and 
Non-Repudiation,” on page 141. 


The subsequent portions of the component string are defined by the application. Typically, they 
identify modules within the application, types of events, etc. 


The intent of the component string is to facilitate queries across various products and events. For 


example, using wildcard characters, you can search for all iChain® violations (\ichain\*\violations), 
all iChain events (\ichain\*), or violations from every logging application (*\violations). You can also 
use the component string to filter events event chains. See “Verifying Event Authenticity in Nsure 
Audit Report” on page 125. 


For a listing of the Nsure Audit, eDirectory™ and NetWare® component strings, see “Component 
Strings” on page 162. 


The EventID is comprised of two elements. 


The HiWord is the four-digit hex value assigned to the current application. All Application IDs are 
assigned through Novell Developer Support and are maintained in the Nsure Audit central registry. 
Before instrumenting a new application, developers should obtain an AppID through Novell 
Developer Support (http://developer.novell.com/devres/ss/resource.htm). 


The LoWord is the AppEventID assigned by the person instrumenting the application. Typically, 
these values are assigned in ascending order. 


For more information, see the Novell Nsure Audit SDK (http://developer.novell.com/ndk/naudit.htm). 
An ID that can be used to identify related events. 


For example, the NetMail™ instrumentation of Nsure Audit uses this field to store the temporary 
filename assigned to each message as it passes through the message queue. By sorting on the 
Group ID, NetMail administrators can view all events that occurred as that particular message 
passed through the message queue. 
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Event Field 


Log Level (Severity) 


IP Address 


Client Timestamp 


ClientMS 


Server Timestamp 


Text1 


Text2 


Value1 
Value2 
Mime hint 
Data Size 


Data 


Description 


The log level is an indicator of the severity of the reported event. 
+ Emergency events cause the system to shut down. 

+ Alert events require immediate attention. 

+ Critical events might cause parts of the system to malfunction. 
+ Error events are errors that can be handled by the system. 

+ Warnings are negative events that do not represent a problem. 


+ Notices are positive or negative events that an administrator can use to understand or improve 
the use and operation of the current system. 


+ Info represents positive events of any importance. 
+ Debug events are used by support technicians or engineers to debug the current system. 
The IP address of the Platform Agent that logged the event. 


By default, Nsure Audit stores IP address values in network byte order. 
The time the Platform Agent received the event from the logging application. 


The event count field. 


When a logging application makes a connection to the Platform Agent, the Secure Logging Server 
begins counting the events the come over that connection. The count begins at O for the initial event 
and increments by one for every event. If the logging application is restarted, the event count is reset 
to 0. 


Nsure Audit Report uses this field to determine how many events are missing if the event signatures 
are not to valid. For more information, see “Verifying Event Authenticity in Nsure Audit Report” on 
page 125. 


The time the logging server received the event. 


The value of this field depends upon the event. It can contain any text string up to 255 characters. 


The Text1 field is vital to the function of the CVR driver. The CVR driver looks in the event's Text1 
and Text2 fields to identify the defined attribute and object for a given policy. For more information, 
see “CVR Channel Driver” on page 83. 


The value of this field depends upon the event. It can contain any text string up to 255 characters. 
The Text2 field is vital to the function of the CVR driver. The CVR driver looks in the event's Text1 
and Text2 fields to identify the defined attribute and object for a given policy. For more information, 
see “CVR Channel Driver” on page 83. 

The value of this field depends upon the event. It can contain any numeric value up to 32 bits. 
The value of this field depends upon the event. It can contain any numeric value up to 32 bits. 
This field identifies the type of data contained in the Data field. 


This field identifies the size of the data contained in the Data field. 


The value of this field depends upon the event. 


If an event has more data than can be stored in the String and Numeric Value fields, it is possible to 
store up to 3 KB of binary data in the Data field. 
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Event Field Description 


Signature The event signature. 


Nsure Audit digitally signs each event that is logged to the data store. To sign an event, the logging 
application or the Platform Agent hashes the event data and signs the hash with the Logging 
Application's private key. The signature is then stored as part of the event. This signature allows the 
auditor or investigator to determine if an event has been changed. 


If event chaining is enabled, each event's signature includes its own data as well as the signature 
from the previous event. This allows auditors to determine if an event has been deleted or if the 
sequence of events has been changed. 


Event chaining is enabled in the Platform Agent's configuration file, logevent. For information on 
configuring this option, see “Logevent” on page 58. For information on validating events in Nsure 
Audit Report, see “Verifying Event Authenticity in Nsure Audit Report” on page 125. 


Event Variables 


Nsure Audit provides several variables that can be used to return specific information from an 
event. The syntax for using these variables is 


Sformat event_field 


The event_field variable references a specific field within a logged event. The format variable 
determines how the data from the event field is displayed. Using these two variables, you can call 
specific information from an event and manage how it is displayed. 


For example, event field R returns the IP address of the Platform Agent. Using different format 
variables, the IP address appears as follows: 


$XR returns 1B043982 
$NR returns 453261698 
$iR returns 130.57.4.27 


The following tables lists the event_field and format variables. 


Event Field Variables 


IMPORTANT: Event variables are case sensitive and all variable strings must be preceded by a dollar 


sign ($). 
Variable Event Field 
O Component 
l EventID 
G GroupID 
L Log Level (Severity) 
R IP Address 
C Client Timestamp 
A Server Timestamp 
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Variable 


S 


Format Variables 


Variable 


T 


D 


Event Field 
Text1 


To use the $S variable in the SMTP Channel object’s Recipient field, this value 
must be an e-mail address. For more information, see “SMTP Channel Object” 
on page 93. 


Text2 


To use the $T variable in the SMTP Channel object’s Recipient field, this value 
must be an e-mail address. For more information, see “SMTP Channel Object” 
on page 93. 


Value1 
Value2 
Mime hint 
Data Size 
Data 


Description 


This variable returns the value of the Notification object's Description field. The 
value is unique in that it is not provided by the logging application, but by the 
Notification object that directed the event to the current Channel driver. The 
Notification object’s description is sent with the event to the Channel driver. For 
more information on Notification object’s Description field, see “Application 
Objects” on page 78 or “Heartbeat Objects” on page 104. 


IMPORTANT: Format variables are case sensitive and all variable strings must be preceded by a dollar 


sign ($). 


Format 

Local Time 
Local Date 
Numeric Format 


Signed Numeric 
Format 


String Format 


Hexadecimal Format 


RFC822 


Description 

Displays the time in the format defined on the local computer. 
Displays the date in the format defined on the local computer. 
Displays the current value in standard numeric format. 


Displays the current value in standard numeric format. However, if the value is greater 
than 2 billion, it is displayed as a negative number. 


Displays string values. 


This format variable can only be used with the O (Component), S (Text1), T (Text2), D 
(data), and SE (Description) event variables. 


Displays the current value in hexadecimal format. 


Displays the current value in RFC822 format. This variable is used to format time and 
date values. 


RFC822 is the Internet standard format for electronic mail message headers. All time 
values are expressed in UTC. 
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Variable Format 


r RFC822 local 


l Network Byte Order 


i Host Byte Order 


F Bool Yes/No 


f Bool True/False 


Component Strings 


Description 


Displays the current value in RFC822 format; however, the time and date values are 
expressed in local time rather than UTC. 


Displays the current value as an IP address. 

This variable assumes the value is in network byte order. 

By default, Nsure Audit stores IP address values in network byte order. 
Displays the current value as an IP address. 

This variable assumes the value is in host byte order. 


If the value of the field is O, this variable returns No. If the value is not O, this variable 
returns Yes. 


If the value of the field is O, this variable returns False. If the value is not 0, this variable 
returns True. 


The first part of all events logged to Nsure Audit is the component string. The intent of the 
component string is to facilitate queries across various products and events. For example, using 
wildcard characters, you can search for all iChain violations (\ichain\*\violations), all iChain 
events (\ichain\*), or violations from every logging application (*\violations). 


Each logging application has its own set of components. The following sections list the 
components strings for Novell eDirectory, NetWare, and “audit the auditor” events. For 
information on other component strings, refer to the logging application’s product documentation. 


eDirectory Component Strings 


The components for the eDirectory Instrumentation are as follows: 


Object 
Debug 
Agent 
Bindery 
Partition 
Meta 


Attribute 
Misc 
Connection 
Schema 


Replica 


For more information on the eDirectory Instrumentation, see “eDirectory Events” on page 75. 


These components are combined with the eDirectory Application Identifier (eDirInst) to form the 
component strings for all eDirectory events. For example, 


eDirInst\Object 
eDirelInst\Replica 
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NetWare Component Strings 


The components for the NetWare Instrumentation are as follows: 


File Directory 
Trustee Volume 
Module Network 
Connection Alert 
Server 


These components are combined with the NetWare Application Identifier (NetWarelnst) to form 
the component strings for all NetWare events. For example, 


NetWarelnst\File 
NetWarelnst\Network 


Audit the Auditor Component Strings 


The components for NAudit Instrumentation are as follows: 


Generic License 
Authentication Log 

Channel Configuration 
Heartbeat Engine 


These components are combined with the Novell Nsure Audit Application Identifier 
(NsureAuditInst) to form the component strings for all Novell Nsure Audit events. For example, 


NsureAuditInst\Channel 
NsureAuditInst\Log 


Log Schema Files 


Log Schema (LSC) files catalog the events that can be logged for a given application. They also 
provide event descriptions and field titles, although this is optional. For information on creating 
Log Schema files, see the Novell Nsure Audit SDK (http://developer.novell.com/ndk/naudit.htm). 


Nsure Audit stores LSC files as attributes in their respective Application object. (English LSC files 
are stored under the NAuditAppSchemaEn attribute.) Typically, logging applications use the 
AuditExt utility to automatically create their associated Application object and to populate the 
Application object’s log schema attribute; however, if you modify or localize an LSC file, you can 
manually add it to the Application object using WebAdmin or the AuditExt utility. For more 
information on this procedure, see “Using AuditExt to Add LSC Files to Application Objects” on 
page 180. 


+ “How LSC Files Are Used” on page 164 

+ “Localized Log Schema Files” on page 165 

+ “Adding LSC Files to Application Objects” on page 165 
+ “Sample LSC Files” on page 166 
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NOTE: In the WebAdmin administration tool, you can view each application's LSC file in its respective 
Application object. For more information, refer to the Application object's Schema attribute. 


How LSC Files Are Used 


Queries 


The information stored in the log schema files —specifically Event IDs, Group IDs, Text and 
Numeric field vales—is useful in defining query statements, Notification Filters, and Heartbeat 
Notifications. For example, if you want to receive a notification anytime a server goes down, you 
must first look up the Event ID for the Server Down event in the NetWare log schema. You can 
then configure a Notification Filter that selects events with an Event ID of 000A0103. 


The File and Syslog drivers use the log schemas to create localized, human readable log files. At 
startup, the File and Syslog channel drivers load each application’s log schema in memory. If a 
logging application has multiple language versions of its log schema, the drivers load the schema 
for the language designated in their respective Channel objects. The File and Syslog channel 
drivers then reference the log schemas to write localized event descriptions to their log files. 


NOTE: If the File and Syslog Channel objects reference the same language, the drivers independently load 
the log schema in their own memory. The only time the log schema is shared is between multiple instances of 
the same driver. For example, if you have two File channels configured to write Translated log files in English, 
the English log schema for each application is loaded only once. For more information, see “File Channel 
Driver” on page 86 and “Syslog Channel Driver” on page 97. 


iManager and Nsure Audit Report also reference the log schemas. They use the Field titles defined 
in the log schemas to label column headings and event fields in the query results. 


Step 2 of 2: Query results 


You may export and print results by clicking on the corresponding links below. 


Wayne's MySQL - all events 


Export Results | Printer Friendly 


SourcelP ClientTimestamp ClientMS ServerTimestamp Component EventID Severity Grouping Text1 

127.0.0.1 Ja Le e 0 Jun 10 e a ee Info 0 ssmtp.Channels, Logging Services 
cron: ABER A. toe 
127.0.0.1 Jun 18 2003 0 ieee eDirinst add Value Info 0 .WRUST-JC. novell 

127.0.0.1 Au 0 Jun 12; gia eDirinst | Add Value Info 0 [Root]. 

127.0.0.1 See o san le aa eDirinst o Add Value Info 0 [Root]. 

oa 0 Jün 12, 2003 eDirinst Add Value Info 0 [Root]. 

127001 a o aan de ga eDirinst Add Value Info 0 [Root]. 

127.0.0.1 299 12 2003 a Jun 12, 2003  eDirlnst ~~ Delete Value Info 0 AWRUST-JC,novell 

4 


¡Manager and Nsure Audit Report manually import log schemas from the Application objects. For 
information on importing and viewing log schema files, see “Importing and Viewing Log Events 
in ¡Manager” on page 110 and “Importing and Viewing Events in Nsure Audit Report” on 

page 123. 
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Localized Log Schema Files 


Although there is only one log schema for a given application, there can be many localized 
versions ofthe Log Schema file. Nsure Audit stores each language version of the LSC file as an 
attribute in its respective Application object. For example, English LSC files are stored under the 
NAuditAppSchemaEn attribute; German LSC files are stored under the NAuditAppSchemaDe 
attribute; and so forth. 


IMPORTANT: Each language version of the LSC file must be added to the Application object before it can be 
used by the Syslog and File channel drivers to create localized log files. 


Nsure Audit Report and ¡Manager only support one language version of each log schema file at a 
time. 


Adding LSC Files to Application Objects 


During installation, logging applications use the AuditExt utility to automatically create their 
associated Application objects and to populate the Application objects” log schema attribute. 
However, if you modify or localize a LSC file, you can manually add it to the Application object 
using WebAdmin or by running the AuditExt utility at the server console. 


To add a log schema to an Application object using WebAdmin: 
1 Open the logging application’s LSC file in a text editor such as Windows Notepad. 
2 Select the entire file and press Ctrl+C to copy it to the Clipboard. 
3 In WebAdmin, select the logging application’s associated Application object. 


4 Click in the schema window and press Ctrl+V to paste the LSC file into the Application 
object. 


5 When finished, click Save. 


To add a log schema to an Application object using AuditExt, enter the following command at the 
server console: 


auditext -lsc -u:username -p:password "-a:Application_object" -f:LSC_file -1l:language 
For example, 
auditext -lsc -u:admin -p:argl "-a:eDirectory Instrumentation" "-f:ltempledir.lsc" -l:en 


If the path to the LSC file contains spaces, enclose the path and the -f flag in quotation marks. For 
example, "-f:c:/my files/myapp.lsc". 


AuditExt requires that the first line of all LSC files is formatted as follows: 
+"object_name”Application_ID"Application_Identifier” language_identifier 


Each parameter is explained below. 


Parameter Description 
object_name The string that is used as the name of the Application 
object. 
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Parameter Description 


Application_ID The four-digit hex value assigned to the current 
application. 


All Application IDs are assigned through Novell Developer 
Support and are maintained in the Nsure Audit central 
registry. 


Application_Identifier The name the logging application uses to identify itself to 
the logging server. 


The Application Identifier is stored in the application’s 
certificate. 


language_identifier A two character code for the current LSC file’s language. 


The following is a list of language codes: 


+ EN = English 
+ ES = Spanish 
+ FR = French 


+ DE = German 
+ IT = Italian 
+ PT = Portuguese 


+ RU = Russian 


If no path is given, AuditExt looks for the log schema files in the working directory of AuditExt. 
By default, schema log files are contained following directories: 


Operating System Directory 

NetWare sys:\system\naudit\*.lsc 

Windows \program files\novell\nsure audit\logschema\*.Isc 
Linux /opt/novell/naudit/logschema/*.Isc 

Solaris /opt/NOVLnaudit/logschema/*.Isc 


Sample LSC Files 


The following links take you to the LSC files for Nsure Audit, eDirectory and NetWare. 
+ Nsure Audit (http://www.novell.com/documentation/lg/nsureaudit/html/naud_en.htm) 
¢ eDirectory (http://www.novell.com/documentation/lg/nsureaudit/html/edir_en.htm) 
+ NetWare (http://www.novell.com/documentation/lg/nsureaudit/html/nw_en.htm) 


NOTE: In the WebAdmin administration tool, you can view each application's LSC file in its respective 
Application object. For more information, refer to the Application object's Schema attribute. 


166 Novell Nsure Audit 1.0.1 Administration Guide 


Using MySQL with Nsure Audit 


This section provides basic information that helps you use MySQL with Novell® Nsure™ Audit. 
+ “SQL Expiration Command Variables” on page 168 
+ “Basic SQL Query Syntax” on page 169 
+ “Optimizing Your Queries” on page 172 
+ “MySQL Miscellaneous Functions” on page 173 
+ “Sample Query” on page 171 
Refer to your MySQL manual for information on the following: 
+ How to install MySQL 
+ How to create users and grant access rights within MySQL 
+ How to optimize MySQL 
+ Complex or Advanced Query syntax 
+ Repairing a MySQL database 


NOTE: All of the current MySQL distributions are available from the Downloads page (http://www.mysql.com/ 
downloads/index.html) at the MySQL Web site. The MySQL Reference Manual is available from the 
Documentation page (http://www.mysql.com/documentation/index.html). 


Basic Operations in MySQL 


This section contains some basic information about MySQL, and is not intended to help you get 
started using MySQL with Nsure Audit. If the Audit database is not present, Nsure Audit creates 
it automatically. 


Creating a User 


1 Connect to your database using the MySQL Monitor (mysql.exe, mysql.nlm, mysql). The 
MySQL monitor is in mysql/bin by default. 


2 Run 
mysql -u username -p 
3 Enter a password. 


4 Run Flush Privileges; to apply the changes. 
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Granting Access to a Database 
4 To create a local user, In MySQL Monitor, run 


grant all privileges on database.table to username; 


For example, grant all privileges on naudit.* to audituser grants the default audit user access 
to the default audit database. For additional information on privileges, see the MySQL 
documentation. 


4 To create a remote user (a user who can log in from anywhere), run 
grant all privileges on database.table to username@’ %’; 


For example, grant all privileges on naudit.* to audituser@’%’ enables audituser to remotely 
access all tables in the naudit database. Optionally, the % wildcard could be replaced with a 
full or partial DNS name or IP address, for example, audituser@’%.novell.com’ allows access 
only from a DNS entry resolving to the .novell.com domain. 


2 Run Flush Privileges; to apply the changes. 


Setting an Account Password 
1 Run 
set password for username=PASSWORD (‘password’); 
For example, set password for audituser=PASSWORD(‘newpass’) 
2 Run Flush Privileges; to apply the changes. 


SQL Expiration Command Variables 


The following table lists the variables that can be used with expiration commands in the MySQL 
Channel object’s SQL Expiration Commands property. For information on the SQL Expiration 
Commands property, see “MySQL Channel Object” on page 90. 


IMPORTANT: SQL expiration command variables are case sensitive. 
IMPORTANT: All variable strings must be preceded by a dollar sign ($). 
Variable Description 
Novell Nsure Audit Custom Variables 
T Novell Nsure Audit’s default table schema. 


| The table name defined in the MySQL Channel object configuration. 


e The CREATE TABLE Options defined in the MySQL Channel object 
configuration. 

Date Formatting The date format can be tied together (for example, $Y$M$D). 

Y Year (four digit) 

y Year (two digit) 

M Month (two digit) 

D Day (two digit) 
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Variable Description 


h Hour (two digit) 

m Minute (two digit) 

Ss Second (two digit) 

n Now. This value displays as yyyymmdd. 


Sample SQL Expiration Command Script 


create table newtabl ($T) $e;RENAME TABLE $1 TO 1$n, newtable TO $1 


This script does the following: 
1. Creates a new table using the CREATE TABLE Options. 
2. Renames the current table so 1t includes the date and time in decimal. 


3. Renames the new table with the default table name. 


Basic SQL Query Syntax 


All SQL queries use the Select command. The Select command retrieves the table rows (records) 
that match the given query statement. 


The basic Select command syntax is as follows: 


SELECT 


select_expression,... 


[FROM table_references 


WHERE where_definition] 
GROUP BY {unsigned_integer | col_name | formula} [ASC | DESC], ...] 


HAVING where_definition] 


ORDER BY {unsigned_integer | col_name | formula} [ASC | DESC]. pesal 


LIMIT [offset,] rows | rows OFFSET offset]] 


All keywords used must be given in exactly the order shown above. For example, a HAVING 
clause must come after any GROUP BY clause and before any ORDER BY clause. 


The following sections provide general information on each phrase in the Select syntax. For more 
specific information, see the MySQL Reference Manual (http: //www.mysql.com/documentation/ 
index.html). 

select_expression 


Select expression indicates the information you want to retrieve from the server. Each item is 
separated with a comma (, ). 


ALL is the default, meaning that all records are returned. 


The asterisk (*) retrieves all the columns in every table shown in the FROM clause. 
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DISTINCT is a keyword that tells the query to filter out all duplicate records. 


The select_expression can also contain aggregate functions. Aggregate functions return a single 
value based upon another set of values. The most common aggregate functions include: 


+ AVG returns the average of all non-null values in the specified columns. 
+ COUNT counts the occurrences of non-null values in the specified columns. 


+ COUNT DISTINCT counts the occurrences of all unique, non-null values in the specified 
columns. 


+ COUNT counts every record in the table. 
+ MAX returns the highest non-null value in the specified columns. 
+ MIN returns the lowest non-null value in the specified columns. 


+ SUM totals all non-null values in the specified columns. 


FROM Clause 


The FROM clause indicates the tables from which to retrieve rows. 


WHERE Clause 


The WHERE clause defines the search conditions. It provides most of the search conditions that 
filter unwanted data from the query. (The results ofthe WHERE clause can be further filtered by 
the HAVING clause.) 


The basic syntax for the where_definition is as follows: 


search_condition ::= 


{ [ NOT ] predicate | ( search_condition ) ) 
[ { AND | OR } [ NOT ] { predicate | ( search_condition ) } ] 
} [ ,...n ] predicate ::= 
{ expression { = |<>]!-=|>[]>-2+|!> |< | <= |! < } expression 


string_expression [ NOT ] LIKE string_expression 


[ ESCAPE 'escape_character' ] 


expression [ NOT ] BETWEEN expression AND expression 


expression IS [ NOT ] NULL 


CONTAINS 
( { column | * } , 'contains_search_condition' ) 
FREETEXT ( { column | * } , 'freetext_string' ) 
expression [ NOT ] IN ( subquery | expression [ ,...n ] ) 
expression {= | <> | !=| >| >=]|!>]|<]|<=]!<>) 


{ ALL | SOME | ANY} ( subquery ) 


EXISTS ( subquery ) 
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GROUP BY Clause 


The GROUP BY clause is only needed in queries that utilize aggregate functions. The GROUP 
BY clause is used to group output rows. 


HAVING Clause 
The HAVING clause adds search conditions on the result of the GROUP BY clause. 


HAVING works very much like the WHERE clause and uses all the same search conditions. 


ORDER BY Clause 


The ORDER BY clause is used to sort the query results. The query results can be sorted in 
ascending (ASC) or descending (DESC) order. Ascending order is the default. 


LIMIT Clause 


The LIMIT clause takes one or two arguments to limit the number of rows returned. If it has one 
argument, it designates the maximum number of rows to return. If it has two arguments, the first 
is the offset and the second is the maximum number of rows to return. 


If the second argument is —1, MySQL returns all rows from the specified offset until the end. For 
example, to return from row 2 to the end, use this command: 


SELECT f1 FROM tl LIMIT 1,-1 


Sample Query 


The following is a NetMail™ query that lists the top ten bad password users over the past hour: 


mysql> Select Textl 'Username' , Count (Text1) 'Total Attempts', Count (Distinct Text2) 'Unique 
Passwords', Count (Distinct Valuel) 'Unique IP Addresses' from log where EventID=0x20001 and 
ClientTimestamp> (unix_timestamp()-3600) group by Textl order by 'Total Attempts' DESC limit 10; 


Result 


MySQL returns the results as follows: 


+ + + + 
eje 
Username Total Attempts | Unique Passwords | Unique IP Addresses 
+ + + + 
+ 
samejones 399 | 2 
eltrijillo 78 | 1 
thelomb 27 | 2 2 
jstrec 26 | 1 
krg 11 | 1 
tes197 11 | 1 
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| elvin-v | it | 1 | 1il 


| daveknub | 10 | 1 | Ts; 
| dannyjes | 10 | 1 | 1 | 
| samiam | 10 | 1 | 1 | 
+ + + + 


+ 


10 rows in set (10.92 sec) 


Optimizing Your Queries 


There are two basic ways you can optimize your queries. 
+ “Query with an Index” on page 172 
+ “Minimize Query Data” on page 173 


The following sections give more detail on these options. 


Query with an Index 


Any query that uses an index is faster than one that does not. Un-indexed queries can be slow and 
might require excessive CPU cycles. 


The Nsure Audit table structure includes indexes on the Event ID and ClientTimestamp fields. If 
necessary, you can create indexes for additional table fields. 


To determine if a query has an index, use the following command line: 

explain query string\G 

The \G parameter simply makes the output more attractive. 

For example, if you enter the following command line for a query that does have an index, 
explain select eventid, count (eventid) from log group by eventid\G; 


MySQL returns the following: 


KKK KKK KKK KKK KKK KKK ], row KAA KKK KKK KKK KKK KKK KKK KKK KKK 


table: log 


type: index < 
possible_keys: NULL 
key: EventIDIndex <-- 


key_len: 9 


ref: NULL 


rows: 3265918 


Extra: Using index <-- 


1 row in set (0.00 sec) 
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On the other hand, if you enter the following command line for a query that does not have an index, 
explain select component, count (component) from log group by component\G; 
MySQL returns the following: 

ES 1 . row KEKKKKKKKKKKKKKKKKKKKKKKKKK 

table: log type: ALL 

possible_keys: NULL 


key: NULL 


key_len: NULL 


ref: NULL 


rows: 3289946 


Extra: Using temporary; Using filesort <-- No mention of an index 


1 row in set (0.00 sec) 


Minimize Query Data 


Another way you can optimize your queries is to minimize the amount of data your query acts on. 
For example, the following is an eDirectory™ Instrumentation query that returns all the user 
logins: 


Based on EventID: 
select textl from log where eventid=0x10301; 


To limit the query to only those user logins that occurred in the last hour, you would modify the 
query as follows: 


Based on EventID and Time: 


select textl from log where eventid=0x10301 
andClientTimeStamp> (unix_timestamp()-3600) ; 


MySQL Miscellaneous Functions 


MySQL provides two functions that translate queried data into more useful formats: 
+ “SELECT INET _NTOA” on page 174 
+ “SELECT INET_ATON” on page 174 
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SELECT INET_NTOA 


The IPAddress function translates a number into an IP address in dotted form. The function syntax 
is 

IPAddress (number) 

The IPAddress function expects the number to be in the INTEL* host byte order format. 

For example, if you enter this command line, 

select IPAddress (453261698) ; 

MySQL returns the following: 


+ + 


| IPAddress (453261698) | 


+ + 


| 130.57.4.27 | 


+ + 


1 row in set (0.00 sec) 


SELECT INET_ATON 


The IP function translates an IP address into a number that can be stored in a database. The 
function syntax is 


IP (ip_address) 

The IP function translates the IP address into a number in the INTEL host byte order format. 
For example, if you enter this command line, 

select IP(130.57.4.27); 

MySQL returns the following: 


+ + 


| IP (130.57.4.27) | 


+ + 
| 453261698 | 


+ + 


1 row in set (0.00 sec) 
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Commands and Utilities 


This section reviews the startup commands and utilities used with Novell® Nsure™ Audit. 
+ “Platform Agent Startup” on page 175 
+ “Logging Cache Module Startup” on page 175 
+ “Secure Logging Server Startup Commands” on page 176 
+ “Starting and Stopping the Secure Logging Server on NetWare” on page 176 
+ “Starting and Stopping the Secure Logging Server on Windows” on page 177 
+ “Starting and Stopping the Secure Logging Server on Linux” on page 177 
+ “Starting and Stopping the Secure Logging Server on Solaris” on page 177 
+ “NetWare and eDirectory Instrumentation Startup Commands” on page 177 


+ “Starting and Stopping the NetWare and eDirectory Instrumentations on NetWare” on 
page 178 


+ “Starting and Stopping the eDirectory Instrumentation on Windows” on page 179 


¢ “Starting and Stopping the eDirectory Instrumentation on Linux and Solaris” on 
page 179 


+ “AuditExt” on page 179 


Platform Agent Startup 


The Platform A gent (logevent) is the client portion of the Nsure auditing system. It must be 
installed on every server or workstation running applications that log events to Novell Nsure 
Audit. 


Logevent is a shared library that is automatically loaded by its local logging applications. 
Consequently, it does not need to be manually loaded or unloaded. 


Logging Cache Module Startup 


The Logging Cache Module (Icache) writes events to the Disconnected Mode Cache if the 
connection between the Platform Agent and the Secure Logging Server fails. It is installed with 


logevent on every server or workstation running applications that log events to Novell Nsure 
Audit. 


On NetWare® and Windows, logevent automatically loads lcache. On Linux and Solaris systems, 
Icache must be manually loaded. 


To load Icache on Linux systems, enter 
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/opt/novell/naudit/lcache 
To load Icache on Solaris systems, enter 


/opt/NOVLnaudit/lcache 


IMPORTANT: Do not unload Icache. Even if the local logging applications are no longer running, Icache must 
stay loaded so it can upload cached data to the Secure Logging Server. To prevent the Logging Cache Module 
from being unloaded, you can set the LogCacheUnload setting to No in the logevent file. For more information, 
see “Logevent” on page 58. 


Secure Logging Server Startup Commands 


The Secure Logging Server (lengine) is the server component in the Nsure auditing system. It is 
installed on the server you want to manage the flow of information to and from the auditing 
system. 


Lengine automatically loads MDB, the Directory interface. Before starting the logging server, 
MDB verifies if Novell eDirectory™ is ready. If eDirectory is not ready, the logging server does 
not load. 


NOTE: On Windows systems, the logging server loads, but it automatically falls back to Windows registry 
configuration. 


The startup commands for NetWare, Windows, Linux, and Solaris systems are reviewed in the 
following sections. 


¢ “Starting and Stopping the Secure Logging Server on NetWare” on page 176 
+ “Starting and Stopping the Secure Logging Server on Windows” on page 177 
¢ “Starting and Stopping the Secure Logging Server on Linux” on page 177 

+ “Starting and Stopping the Secure Logging Server on Solaris” on page 177 


Starting and Stopping the Secure Logging Server on NetWare 


On NetWare, the startup script for the Secure Logging Server is included in the auditsvr.ncf file. 
Auditsvr.ncf is added to the server’s autoexec.ncf file during installation so lengine.nlm loads each 
time the server restarts. 


To manually load the Secure Logging Server on NetWare, enter 
load lengine 

or 

load auditsvr.ncf 


If you want to prevent the Secure Logging Server from being unloaded by users with access to the 
server console, you can append the -n switch to the server startup script. (For example, 
load lengine -n .) 


To manually unload the Secure Logging Server on NetWare, enter 


unload lengine 


NOTE: Lengine.nim and auditsvr.ncf are located in the sys:\system directory. 


You must individually start or stop each logging server in the tree. 
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Starting and Stopping the Secure Logging Server on Windows 


On Windows, the startup script for the Secure Logging Server is included in the naudit.exe file. 
Naudit.exe has an Automatic startup type so lengine.exe loads each time the server restarts. 


To manually load or unload the Secure Logging Server on Windows, you must start or stop the 
Novell Nsure Audit Manager service: 


4 Click Start > Settings > Control Panel. 
2 Open the Services window. 
+ On Window NT, select Services. 
+ On Windows 2000 and XP, select Administrative Tools > Services. 


3 In the list of installed services, right-click Novell Nsure Audit Manager, then select Start or 
Stop. 


You must individually start or stop each logging server in the tree. 


Starting and Stopping the Secure Logging Server on Linux 


On Linux, the startup script for the Secure Logging Server is /etc/init.d/novell-naudit . This startup 
script loads lengine each time the server restarts. 


To manually start the Secure Logging Server on Linux, enter 
/etc/init.d/novell-naudit start 

To stop the Secure Logging Server on Linux, enter 
/etc/init.d/novell-naudit stop 


You must individually start or stop each logging server in the tree. 


Starting and Stopping the Secure Logging Server on Solaris 


On Linux, the startup script for the Secure Logging Server is /etc/init.d/naudit . This startup script 
loads lengine each time the server restarts. 


To manually start the Secure Logging Server on Solaris, enter 
/etc/init.d/naudit start 

To stop the Secure Logging Server on Solaris, enter 
/etc/init.d/naudit stop 


You must individually start or stop each logging server in the tree. 


NetWare and eDirectory Instrumentation Startup Commands 


The NetWare and eDirectory Instrumentations for Novell Nsure Audit (auditNW and auditDS, 
respectively) allow Nsure Audit to log NetWare, eDirectory, and file system events. 


For information on selecting which events you want Novell Nsure Audit to log, see Chapter 6, 
“Logging eDirectory, NetWare, and File System Events,” on page 73. 
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To enable NetWare and file system logging, auditNW must be loaded on every server on which 
you want to log NetWare and file system events. To log replicated eDirectory events (such as 
object creation and deletion), auditDS should be loaded on one server per DS Replica. To log non- 
replicated events (such as logins), it must be installed on each individual server for which you want 
to log non-replicated events. 


IMPORTANT: If you load auditDS on more than one server per DS Replica, you will get duplicate entries for 
replicated events. 


Additionally, the Platform Agent must be installed on every server on which you want to log 
NetWare, file system, and eDirectory events. AuditNW and auditDS automatically load the 
Platform Agent (logevent) to send events to the Secure Logging Server. 


Typically, auditNW and auditDS should be automatically loaded each time the server or 
workstation restarts. However, you can also manually load or unload the instrumentation files. The 
following sections review the instrumentation startup commands for NetWare, Windows, Linux, 
and Solaris systems. 


¢ “Starting and Stopping the NetWare and eDirectory Instrumentations on NetWare” on 
page 178 


+ “Starting and Stopping the eDirectory Instrumentation on Windows” on page 179 


¢ “Starting and Stopping the eDirectory Instrumentation on Linux and Solaris” on page 179 


Starting and Stopping the NetWare and eDirectory Instrumentations on NetWare 


NOTE: At server startup, the NetWare and eDirectory instrumentations should be loaded as soon as possible, 
but they must be loaded after TCP/IP. 


On NetWare, the startup scripts for auditNW and auditDS are included in the auditagt.ncf file. 
Auditagt.ncf is added to the server’s autoexec.ncf file during installation. Therefore, the NetWare 
and eDirectory Instrumentations automatically load each time the server restarts. 


If you want to prevent auditNW or auditDS from being unloaded by users with access to the server 
console, you can append the -n switch to the agent startup scripts. (For example, load auditnw -n .) 


To manually start the NetWare or eDirectory Instrumentation on NetWare, enter 
load auditnw 

or 

load auditds 

To load both the NetWare and eDirectory Instrumentations, enter 

load auditagt.ncf 

To stop the NetWare and eDirectory Instrumentations on NetWare, enter 
unload auditnw 


unload auditds 


NOTE: auditnw.nlm, audit.ds, and auditagt.ncf are located in the sys:\system directory. 


You must individually start or stop the instrumentations on each server in the tree. 
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Starting and Stopping the eDirectory Instrumentation on Windows 


On Windows, the eDirectory Instrumentation is managed through the Novell eDirectory Services 
utility. By default, the eDirectory Instrumentation must be manually loaded on one server per DS 
Replica. 


To manually load or unload the eDirectory Instrumentation on Windows: 
1 Load ndscons.exe. 
ndscons.exe is usually in the \novell\nds\ directory. 
2 In the list of installed services, select the Novell Nsure Audit Component. 
3 Click Start or Stop. 
To configure auditDS.dlm to load each time the server restarts: 
1 Load ndscons.exe. 
ndscons.exe is usually in the \novell\nds\ directory. 
2 In the list of installed services, select the Novell Nsure Audit Component. 
3 Click Startup. 
4 Mark the Automatic startup type, then click OK. 


Starting and Stopping the eDirectory Instrumentation on Linux and Solaris 


On Linux and Solaris systems, the eDirectory Instrumentation must be manually loaded on one 
server per DS Replica. 


To manually start the eDirectory Instrumentation on Linux or Solaris, enter 

start ndstrace -c “load auditds” 

To manually stop the eDirectory Instrumentation on Linux or Solaris, enter 

start ndstrace -c “unload auditds” 

To automatically load the eDirectory Instrumentation each time the server restarts, add 
auditds auto #Nsure Audit Platform Agent 


to /usr/lib/nds-modules/ndsmodules.conf. 


NOTE: On Linux systems, the startup script is /etc/init.d/novell-naudit .On Solaris systems, the startup script 
is /etc/init.d/naudit . 


AuditExt 


The AuditExt utility adds Novell Nsure Audit objects (Logging Services and its associated 
containers, the Logging Server object, Channel objects, Notification objects, and Application 
objects) to the eDirectory schema. 


Logging applications use AuditExt to create their associated Application objects and to populate 
the Application objects’ log schema attribute. 


Novell Nsure Audit stores LSC files as attributes in their respective Application object. English 
LSC files are stored under the NAuditAppSchemaEn attribute, French LSC files are stored under 
the NAuditAppSchemaFr attribute, and so forth. 
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AuditExt is also required to uninstall Novell Nsure Audit. For information on this procedure, see 
“Uninstalling Novell Nsure Audit” on page 154. 


Using AuditExt to Extend the Schema 


The installation program uses AuditExt to extend the eDirectory schema during the initial 
installation. Under normal circumstances, the schema should only be extended one time. This is 
automatically done during the Novell Nsure Audit installation on the first server in the tree. 


If, for some reason, the initial schema extension fails, you can run AuditExt to extend the schema 
again. However, you should not try to extend the schema again until the first schema extension is 
fully replicated. 


NOTE: A common indicator that the Novell Nsure Audit schema extension has failed is when you create Nsure 
Audit objects, but the objects don’t get added to the tree. The tree doesn’t recognize the attribute even though 
you are able to create the objects in iManager or WebAdmin. 


Another instance when you might need to run the AuditExt utility is to re-create the Logging 
Services container. If Logging Services is deleted from the tree, it can only be re-created by 
running AuditExt. 


To use AuditExt to extend the eDirectory schema or re-create the Logging Services container: 
1 Launch Auditext at the server console. 
+ On NetWare, enter sys: \system\auditext .nlm. 


+ On Windows, enter \program files\novell\nsure 
audit \auditext.exe. 


+ On Linux, enter /opt/novell/naudit/auditext. 
+ On Solaris, enter /opt /NOVLnaudit /auditext. 
2 Specify your admin username and password. 
3 Select Add Schema Extensions, then press Enter. 
AuditExt adds the Nsure Audit objects to the eDirectory schema. 


Using AuditExt to Add LSC Files to Application Objects 


During their installations, logging applications use the AuditExt utility to automatically create 
their associated Application objects and to populate the Application objects’ log schema attribute. 
However, if you modify or localize a Log Schema (LSC) file, you can manually add it to the 
Application object by running the AuditExt utility at the server console. 


You can also use the WebAdmin administration tool to manually add LSC files to Application 
objects. For more information see “Using AuditExt to Add LSC Files to Application Objects” on 
page 180. 


To add a log schema to an Application object at the server console, enter the following command: 


auditext -lsc -u:username -p:password "-a:Application_object" -f:LSC_file -1l:language 


NOTE: If the path to the LSC file contains spaces, enclose the path and the -f flag in quotation marks. For 
example, "-f:c:/my files/myapp.Isc". 


The following is a sample command that adds the English edir.Isc file to the eDirectory 
Instrumentation Application object: 


auditext -lsc -u:admin -p:argl "-a:eDirectory Instrumentation" -f:\temp\edir.lsc -1:en 


180 Novell Nsure Audit 1.0.1 Administration Guide 


AuditExt requires that the first line of all LSC files is formatted as follows: 
+"object_name”Application_ID"Application_Identifier” language _identifier 


Each parameter is explained below. 


Parameter Description 

object_name The string that is used as the name of the Application 
object. 

Application_ID The four-digit hex value assigned to the current 
application. 


All Application IDs are assigned through Novell Developer 
Support and are maintained in the Novell Nsure Audit 
central registry. 


Application_Identifier The name the logging application uses to identify itself to 
the logging server. 


The Application Identifier is stored in the application’s 
certificate. 


language_identifier A two-character code for the current LSC file’s language. 
+ EN = English 
+ ES = Spanish 
+ FR = French 
+ DE = German 
¢ IT = Italian 
+ PT = Portuguese 


+ RU = Russian 


If no path is given, AuditExt looks for the log schema files in the working directory of AuditExt. 
By default, schema log files are contained following directories: 


Operating System Directory 

NetWare sys:\system\naudit\* Isc 

Windows \program files\novell\nsure audit\logschema\*.Isc 
Linux /opt/novell/naudit/logschema/*.Isc 

Solaris /opt/NOVLnaudit/logschema/*.Isc 


AudCGen 


AudCGen is a command line utility that generates custom x.509 certificates for the Secure 
Logging Server and logging applications. Novell Nsure Audit uses certificates to authenticate 
logging applications and sign events. For more information on generating certificates, see Chapter 
11, “Security and Non-Repudiation,” on page 141. 


The AudCGen syntax is as follows: 
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audcgen -cert: filenam pkey: filename [-f] [base:directory] [-bits:number] [-serial:number] 


[-valid:days] {-ss | appcert:filenam apppkey: filename -app:Application_Identifier | -v 
-out :target_certificate) 


The following table reviews each of the command parameters. 


Parameter Description 


-cert: filename The path and filename for the Secure Logging Certificate. 


The default path and filename is base/cacert.pem . 


-pkey: filename The path and filename for the Secure Logging Certificate’s 
private key. 


The default path and filename is base/capkey.pem . 
[-f] Force overwrite. 


AudCGen overwrites any existing certificates or private keys of 
the same name (for example, cacert.pem and capkey.pem or 
appcert.pem and apppkey.pem) in the output directory. 


This parameter is optional. 


If you do not use the -f parameter and there is an existing 
certificate of the same name, AudCGen aborts. 


[base: directory] The default directory for the certificate and private key files. 


By default, base is the root directory. This parameter is 
optional. 


If you do not designate a base directory, you can include the 
directory in the certificate and private key strings. 


[-bits: number] The number of bits for the certificate. 


The default is 512; however, Novell Nsure Audit can handle 
certificates up to 1472 bits. 


[-serial: number] This parameter assigns a serial number to the current 
certificate. You can use this option to keep track of your 
system’s certificates. 


This parameter is optional. 
[-valid: days] The certificate’s expiration in days. 


The current iteration of Novell Nsure Audit does not verify if a 
certificate is valid. 


-SS Self-sign. 


AudCGen generates a self-signed CA certificate and key. 


appcert:filenam The output path and filename for the Logging Application 
Certificate. 


The default path and filename is base\appcert.pem. 
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Parameter Description 


apppkey: filenam The output path and filename for the Logging Application 
Certificate. 


The default path and filename is baselapppkey.pem. 
-app:Application_Identifier The logging application's Application Identifier. 


This value must match the Application Identifier stored the 
logging application’s Application object. 


-v Validate. 


AudCGen validates the certificate designated in the -out 
parameter. 


-out :target_certificate The path and filename for the certificate you want to validate. 


The default path and filename is base\*.pem 
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File Descriptions and Locations 


This section provides a listing of the Novell® Nsure™ Audit program files and their locations on 
each operating system. 


+ “Program Files” on page 185 


+ “Program Filenames and Directories” on page 188 


Program Files 


The following table lists the program files, their associated components, and their functions. 


See “Program Filenames and Directories” on page 188 for a breakout of program filenames by 
operating system. 


File Program Component Function 


auditagt.ncf Auditagt.ncf contains the startup script for the Novell 


eDirectory™ and NetWare® Instrumentations. It is added to the 
logging server’s autoexec.ncf file during installation. 


auditDS eDirectory Instrumentation The auditDS module hooks into the eDirectory event system. It 
logs all events configured under Nsure Audit > eDirectory in the 
NCP Server object. 


For more information, see “eDirectory Events” on page 75. 


IMPORTANT: On Windows, auditDS must be located in the 

same directory as the directory database set (DIB). By default, 
the DIB is located in \novell\nds\ . On UNIX, auditDS must be 
in /usr/lib/nds-modules . 


auditext A utility used to add or remove the Nsure Audit objects and 
attributes from the eDirectory schema. Auditext is used by the 
installation program to extend the eDirectory schema during 
installation. 


For more information, see “AuditExt” on page 179. 


auditNW NetWare Instrumentation (for The auditNW module hooks into the NSS, Traditional File 
NetWare only) System, and NetWare event systems. It logs all events 
configured under Nsure Audit > Filesystem or 
Nsure Audit > NetWare in the NCP Server object. 


For more information, see “NetWare Events” on page 75 and 
“File System Events” on page 75. 
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File Program Component 


auditsvr.ncf 


Icache Logging Cache Module for the 
Platform Agent 

lengine Secure Logging Server 

letrans LETrans 

Igdevr Critical Value Reset (CVR) channel 
driver 

Igdfile File channel driver 

Igdjava Java channel driver 

Igdmsql MySQL channel driver 

Igdora Oracle channel driver 

Igdsmtp SMTP channel driver 

Igdsnmp SMNP channel driver 


186 Novell Nsure Audit 1.0.1 Administration Guide 


Function 


Auditsvr.ncf contains the startup script for the Secure Logging 
Server. It is added to the logging server’s autoexec.ncf file 
during installation. 


The Logging Cache Module enables the Platform Agent to 
temporarily log incoming information to its Disconnected Mode 
Cache. 


For more information on configuring the disconnected mode 
cache, see “Configuring the Platform Agent” on page 57. 


The Secure Logging Server is the server component in the 
Nsure auditing system. It manages the flow of information to 
and from the Nsure auditing system. It receives incoming 
events and requests from the Platform Agents; logs information 
to the data store; monitors designated events; and provides 
filtering and notification services. 


For more information, see “Configuring the Secure Logging 
Server” on page 60. 


A utility designed to convert raw data files logged by the file 
channel, into a readable, delimited format. 


The CVR channel allows you to flag an attribute in eDirectory 
with a reset policy. If the value of that specific attribute is 
changed, the CVR channel driver resets the value as per the 
policy defined in the CVR Channel object. 


For more information, see “CVR” on page 83. 


The File channel driver writes events to a flat file in the file 
system. The driver can be configured to provide a single, 
comma-separated file (*.csv) or a human-readable log file. 


For more information, see “File” on page 85. 


The Java channel driver allows the logging server to output 
filtered events to a Java application. 


For more information, see “Java” on page 88. 


The MySQL channel driver writes events to a MySQL 
database. 


For more information, see “MySQL” on page 89. 


The Oracle channel enables the logging server to log events to 
an Oracle database. 


For more information, see “Oracle” on page 91. 


The SMTP channel driver e-mails events to a designated relay 
host. 


For more information, see “SMTP” on page 93. 


The SNMP channel driver sends events to an SNMP 
management system. 


For more information, see “SNMP” on page 95. 


File 


Igdsyslog 


log 


logevent 


logevent.cfg 
logevent.conf 


Ireport 


mdb 


mdbds 
mdbreg 


naudit 


nproduct.log 


webadmin 


webadminsvc.exe 


Program Component 


Syslog channel driver 


File channel log file 


Platform Agent 


Platform Agent configuration file 


Nsure Audit Report program file 


Interface to Novell eDirectory, the 
Windows registry, the file system, or 
other systems 


WebAdmin engine 


Function 


The Syslog channel driver allows the logging server to log 
events to a specific syslog facility on any syslog host or to a 
remote syslog daemon. 


For more information, see “Syslog” on page 97. 
The filename for the File Channel data store. 


The Platform Agent is the client component in the Nsure 
auditing system. It receives logging information and system 
requests from individual applications and transmits the 
information to the Secure Logging Server. 


For more information, see “Configuring the Platform Agent” on 
page 57. 


A text-based configuration file that stores the local Platform 
Agent's configuration settings. Every computer running the 
Platform Agent has its own logevent.cfg file. 


For more information on the configuration settings and file 
location, see “Configuring the Platform Agent” on page 57. 


Nsure Audit Report is a Windows-based, ODBC-compliant 
application that can query Oracle and MySQL data stores (or 
any other database that has ODBC driver support). 


MDB is a simple API that provides all the functionality required 
to access and manipulate a variety of hierarchical databases 
(for example, eDirectory, the Windows registry, the file system, 
or other systems). 


The MDB API allows Novell Nsure Audit to become 
independent of the actual database. 


The underlying concepts of MDB are similar to ODBC, though 
the functionality differs. 


MDBDS is the MDB driver for eDirectory. 
MDBREG is the MDB driver for the Windows Registry. 


Naudit contains the startup script for the Secure Logging 
Server on Windows, Linux, and Solaris systems. 


Nproduct.log contains any errors that have been logged during 
startup on Windows systems. 


WebAdmin is a highly flexible, browser-based administrative 
tool that provides a traditional, tree-oriented view (similar to 
NWAdmin). 


For more information, see “WebAdmin” on page 52. 


Webadminsvc.exe automatically starts and stops 
webadmin.exe on Windows systems. 
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Program Filenames and Directories 


The following link takes you to a table listing the Nsure Audit program files and their locations by 
operating system: 


Nsure Audit Filenames and Directories (http: //www.novell.com/documentation/lg/nsureaudit/ 
html/filenames_table.htm) 
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Documentation Updates 


This section contains information on documentation content changes that have been made in the 
Administration Guide for Novell Nsure Audit since the initial release of Novell Nsure Audit 1.0. 
This information will help you to keep current on updates to the documentation. 


If you have not used Novell Nsure Audit 1.0 you do not need to review this section. 


All changes that are noted in this section were also made in the documentation. The documentation 
is provided on the Web in two formats: HTML and PDF. The HTML and PDF documentation are 
both kept up-to-date with the documentation changes listed in this section. 


The documentation update information is grouped according to the date the changes were 
published. Within a dated section, the changes are alphabetically listed by the names of the main 
table of contents sections for Novell Nsure Audit 1.0.1. 


If you need to know whether a copy of the PDF documentation you are using is the most recent, 
the PDF document contains the date it was published on the front title page or in the Legal Notices 
section immediately following the title page. 


The documentation was updated on the following dates: 


+ “November 26, 2003” on page 189 


November 26, 2003 


Updates were made to the following sections. The changes are explained below. 
+ Activating Novell Nsure Audit 
+ Custom Query Variables 
¢ eDirectory Event Instrumentation 
¢ Linux and Solaris Startup Script Location 
+ Secure Logging Server on Windows XP 
+ WebAdmin 
+ Letrans Utility to Translate Raw Log Files 


Activating Novell Nsure Audit 


The Documentation was updated to contain information on Activating Novell Nsure Audit. See 
“Activating Novell Nsure Audit” on page 44. 
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Custom Query Variables 


The following new custom query variables were implemented: 


Function Description 

Date(mm-dd-yyyy) The given date in local time. 

Hex(x) The decimal value of hex value x 

IP(address An IP address in IPv4 dotted address form, or in host name form. 
Var(prompt) Prompts the user for a value. When a query containg this variable is run, 


the user is prompted to input a value based on prompt. 


For example, select * from $1 where text2=’ $Var (User 
Name) ’ , prompts the user for a “User Name” value which replaces the 
Var(prompt) variable. 


For a complete list of custom query variables, see “Custom Query Variables” on page 133. 


eDirectory Event Instrumentation 


The eDirectory log schema documentation incorrectly contained an application ID of 0001, 
instead of OOOB. This was corrected, you can view the updated log schema documentation in 
“eDirectory Events” on page 75. 


Information on using the platform agent on multiple eDirectory servers has been clarified, see 
“eDirectory Instrumentation” on page 34 for details. 
Linux and Solaris Startup Script Location 


The Linux and Solaris startup scripts are in new locations. See “Starting and Stopping the Secure 
Logging Server on Linux” on page 177 and “Starting and Stopping the Secure Logging Server on 
Solaris” on page 177 for details. 

Secure Logging Server on Windows XP 


Windows* XP is a client release of the Windows operating system and it is not licensed to perform 
server functions. Therefore, Windows XP was removed as a supported platform for the Secure 
Logging Server. The client instrumentation is still supported on Windows XP. 


WebAdmin 


Path information for WebAdmin was updated, see “WebAdmin” on page 52 for details. 


Letrans Utility to Translate Raw Log Files 


Information about translating raw log files logged by the file channel has been added, see 
“Working with Data Logged by the File Channel” on page 139 for details. 


190 Novell Nsure Audit 1.0.1 Administration Guide 


Glossary 


ACL (Access Control List) 


administrative tool 


alert 


Audit policy 


auditing service 


central data store 


channels 


channel object 


event 


event collection 


A list of the services available on a server. Also listed are the hosts permitted to use each service. 


The user interface in which product configuration and management tasks are performed. For 
Novell® Nsure™ Audit, the administrative tools are ¡Manager and WebAdmin. 


An audible or visual alarm (such as a phone call, instant message, page, siren, flashing light, e- 
mail, etc.) intended to inform a system's users and administrators about a policy violation, a change 
in the operating conditions of a system, or some kind of error condition. 


A policy that determines which events should be logged to the data store and how those events 
should be monitored. 


A distributed service that aggregates events from many sources and provides monitoring, logging, 
and reporting to facilitate analysis of the collected data. This is the “engine” of the product. 


The data store that contains every event logged to the system. Novell Nsure Audit logs all events 
to the central data store before any other action is performed. 


The communication paths that Novell Nsure Audit uses to log system events and provide event 
notification. 


Objects used to store the information the logging server needs to use a certain channel. For 
example, MySQL Channel objects include the IP address or host name of the MySQL database 
server, a username and password to connect to the server, the database and table names, and other 
relevant information. SMTP Channel objects, on the other hand, include the IP address or host 
name of the SMTP server, a username and password, and message information (the message 
recipients, sender, subject, and body). 


Data provided to the Auditing Service to be logged. This includes any significant occurrence in 
the system or its logging applications such as starting and stopping services, logging users on and 
off, accessing resources, granting access rights, and so forth. 


The process of gathering events and storing them in the central data store and filtered data stores. 
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event log 


event store 


forensics 


instrument 


instrumentation 


log entry 


log level 


logging 


logging application 


A collection of audit entries that make up an audit trail. Also, the destination file for audit entries 
or logged events. 


A generic reference to any collection of one or more event logs in a directory or database. 


A general term referring to the preservation, identification, extraction, and documentation of 
computer evidence from relevant logging applications. 


The process of configuring an application’s events so they conform to the Novell Nsure Audit 
standardized event structure. 


A logging application that can report events to Novell Nsure Audit. Logging applications must 
report events using the Novell Nsure Audit program’s standardized event structure. 


A recording of a system event in a log file, typically in a standard text or marked-up text format 
such as TXT, XML, and so forth. 


A mandatory component of an event that contains a descriptive severity level of the event. Log 
levels are 8 bits. 


Persistent storage of historical data. 


A generic term used to refer to any application that logs events to the Novell Nsure Audit for the 
purpose of leveraging its auditing, reporting, monitoring, or notification services. 


logging application certificate 


The certificate at the logging application. Logging application certificates must be signed by the 
logging server certificate. This is done using the AudCGen utility. 


logging server certificate 


monitor 


monitoring 


The certificate at the logging server. 


A user interface or a collection of user interfaces for viewing the real-time status of one or more 
aspects of a system or set of systems. A monitor can refer to a single gauge or a cluster of gauges. 
See “named view” on page 193. 


The act of viewing data in real time. The data is exposed through a program or set of programs 
used to oversee computer-based systems and networks for the purpose of tracking usage or 
identifying, reporting on, and solving problems at the earliest possible stage. Typically, different 
tools are used to monitor individual system components, although the individual monitors might 
feed information to a higher-level monitor in order to encompass an entire computing 
environment. 
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named view 


non-repudiation 


notification 


payload 


Platform Agent 


policy 


A view of a set of one or more monitors that has been named and saved, and can be configured and 
deployed to a specific user or set of users based on their role in the organization. For example, if 
an administrator wanted a specific set of users to see how many new users were added to an HR 
application, the monitor for the HR application could be placed in a view named “New 
Employees.” Rights to access these named views can then be managed based on roles. 


Unforgeable evidence that a specific action occurred. 


This differs slightly from the traditional legal meaning of non-repudiation, which refers to the 
irrefutable genuineness of a traditional signature. Non-repudiation services typically include non- 
repudiation of origin, non-repudiation of delivery, non-repudiation of receipt, and non-repudiation 
of submission. The purpose of non-repudiation, in conformance with ISO/IEC 13888-1, -2 and - 
3, is to provide verifiable proof or evidence recording of data, based on cryptographic check values 
generated by using symmetric or asymmetric cryptographic techniques. 


Non-repudiation of approval service provides proof of whom is responsible for approval of the 
content of a message. 


Non-repudiation of sending service provides proof of who sent a message. 
Non-repudiation of origin service 1s a combination of approval and sending services. 


Non-repudiation of submission service provides proof that a delivery authority has accepted a 
message for transmission. 


Non-repudiation of transport service provides proof for the message originator that a delivery 
authority has given the message to the intended recipient. 


Non-repudiation of receipt service provides proof that the recipient received a message. 


Non-repudiation of knowledge service provides proof that the recipient recognized the content of 
a received message. 


Non-repudiation of delivery service is a combination of receipt and knowledge services. It 
provides proof that the recipient received and recognized the content of a message. 


An automatically generated announcement or message intended to inform a system's users and/or 
administrators about a specific condition of the system. 


Application-specific event data that logging applications can include in their event structure, 
allowing Novell Nsure Audit to log more specific data. 


The operating system-level agent that handles event transport between logging applications and 
the Secure Logging server. 


An organization’s rules governing event logging, the data store, event notifications, reset actions, 
and so forth, or the implementation of these rules. Policy is usually something that is written down, 
such as in an operations manual. Policy is often enforced through a defined set of rules. 
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query results 


query 


report 


resource 


role 


rule 


secure auditing 


threshold 


trigger 


UTC 


The events returned from a data query. The information is presented in a data table; rows represent 
individual records and columns represent fields within those records. 


A request for specific information from the data store. In Novell Nsure Audit, queries are made 
using the SQL query language. 


A Crystal Decisions Report (*.rpt). Reports can graphically represent log data in pie charts, bar 
charts, and so forth. 


A specified right, privilege, or item that can be granted or revoked from a user. 


A function or position with associated rights and privileges dictating the operations a user is 
permitted to perform. Multiple roles can be assigned to one user. 


Repeatable process steps that are performed in a defined order, and result in the application ofa 
policy. 


An auditing service where, the logged data and functioning are defensible in a court of law. 


A specified point that when exceeded begins producing a specified effect or result when it is 
exceeded. 


An act that sets in motion some course of occurrences. For example, an event that is found to be 
incongruent with business policy can be an impetus for action such as a notification or value reset. 


Coordinated Universal Time, also know as Universal time. UTC is kept within 0.9 seconds of 
GMT with leap seconds that are added to or omitted from official timekeeping systems annually 
to compensate for changes in the rotation of the earth. 


The abbreviation UTC is a language-independent international abbreviation which is neither 
English nor French. It means both “Coordinated Universal Time” and “Temps Universal 
Coordonné.” 


194 Novell Nsure Audit 1.0.1 Administration Guide 


